Skip to content
Branch: master
Find file Copy path
Find file Copy path
CircleCI Atomic Red Team doc generator Generate docs from job=validate_atomics_generate_docs branch=master 6965fc1 Nov 14, 2018
0 contributors

Users who have contributed to this file

77 lines (51 sloc) 2.2 KB

T1081 - Credentials in Files

Description from ATT&CK

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through Credential Dumping. (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

Atomic Tests

Atomic Test #1 - Browser and System credentials

LaZagne Source

Supported Platforms: macOS

Run it with sh!

python2 all

Atomic Test #2 - Extract credentials from files

Extracting credentials from files

Supported Platforms: macOS, Linux


Name Description Type Default Value
file_path Path to search String /

Run it with sh!

grep -riP password #{file_path}

Atomic Test #3 - Mimikatz & Kittenz

Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.

Supported Platforms: Windows

Run it with powershell!


Atomic Test #4 - Extracting credentials from files

Extracting Credentials from Files

Supported Platforms: Windows

Run it with powershell!

findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password

You can’t perform that action at this time.