AlbertoPellitteri
5f5ed55d02
* Replacing wrong reference to input variable * Undoing the change on md file --------- Co-authored-by: Hare Sudhan <code@0x6c.dev>
100 lines
3.2 KiB
YAML
100 lines
3.2 KiB
YAML
attack_technique: T1003.008
|
|
display_name: 'OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow'
|
|
atomic_tests:
|
|
- name: Access /etc/shadow (Local)
|
|
auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
|
|
description: |
|
|
/etc/shadow file is accessed in Linux environments
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.008.txt
|
|
executor:
|
|
command: |
|
|
sudo cat /etc/shadow > #{output_file}
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: bash
|
|
elevation_required: true
|
|
- name: Access /etc/master.passwd (Local)
|
|
auto_generated_guid: 5076874f-a8e6-4077-8ace-9e5ab54114a5
|
|
description: |
|
|
/etc/master.passwd file is accessed in FreeBSD environments
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.008.txt
|
|
executor:
|
|
command: |
|
|
sudo cat /etc/master.passwd > #{output_file}
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Access /etc/passwd (Local)
|
|
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
|
|
description: |
|
|
/etc/passwd file is accessed in FreeBSD and Linux environments
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.008.txt
|
|
executor:
|
|
command: |
|
|
cat /etc/passwd > #{output_file}
|
|
cat #{output_file}
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
- name: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
|
|
auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
|
|
description: |
|
|
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.008.txt
|
|
executor:
|
|
command: |
|
|
unamestr=$(uname)
|
|
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
elevation_required: true
|
|
- name: Access /etc/{shadow,passwd,master.passwd} with shell builtins
|
|
auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
|
|
description: |
|
|
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
output_file:
|
|
description: Path where captured results will be placed
|
|
type: path
|
|
default: /tmp/T1003.008.txt
|
|
executor:
|
|
command: |
|
|
testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
|
|
[ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
|
|
testcat /etc/passwd
|
|
testcat /etc/shadow
|
|
cleanup_command: |
|
|
rm -f #{output_file}
|
|
name: sh
|
|
elevation_required: true
|