security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

adding credman gump using keymgr.dll (#2242)

Browse Source 
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tr4cefl0w
2022-11-28 16:09:04 -08:00
committed by GitHub
parent c65c1656a4
commit d4721d481c
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003/T1003.yaml
+10
View File
@@ -142,3 +142,13 @@ atomic_tests:
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
name: powershell
elevation_required: true
- name: Dump Credential Manager using keymgr.dll and rundll32.exe
description: |-
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
supported_platforms:
- windows
executor:
command: rundll32.exe keymgr,KRShowKeyMgr
name: powershell