From e0449bc608ce74c44a103578e45d2c7b7651de2f Mon Sep 17 00:00:00 2001 From: harml3ss <64158764+harml3ss@users.noreply.github.com> Date: Tue, 4 Aug 2020 19:46:28 -0500 Subject: [PATCH] Update T1003.004.yaml (#1170) Co-authored-by: Carrie Roberts --- atomics/T1003.004/T1003.004.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/atomics/T1003.004/T1003.004.yaml b/atomics/T1003.004/T1003.004.yaml index fd44619e..e29079fc 100644 --- a/atomics/T1003.004/T1003.004.yaml +++ b/atomics/T1003.004/T1003.004.yaml @@ -3,7 +3,11 @@ display_name: "OS Credential Dumping: LSA Secrets" atomic_tests: - name: Dumping LSA Secrets auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f - description: Dump secrets key from Windows registry + description: | + Dump secrets key from Windows registry + When successful, the dumped file will be written to $env:Temp\secrets. + Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. + https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc. supported_platforms: - windows input_arguments: