@
3.5 KiB
Credential Access
T1056.004 Credential API Hooking
Atomics: T1056.004
The weight of this test relies on injecting a dll with mavinject that hooks into powershell to do the TLS decryption, our detection for T1055 Mavinject would cover us for these tests.
T1552.001 Credentials In Files
Atomics: T1552.001
Test #1 - LaZagne
LaZagne happens to spawn 3 cmd shells to save security, system and sam RegKeys, and the standard compiled release from github will have the original name artifact of lazagne.exe.manifest within the %temp%_MEI?????\lazagne.exe.manifest location.
TgtProcCmdline Contains "reg.exe save hklm\s" OR TgtFilePath Contains "lazagne.exe.manifest"
Test #3 - findstr password extraction
TgtProcCmdLine ContainsCIS "/si pass" OR TgtProcCmdLine ContainsCIS "-pattern password"
T1555.003 Credentials from Web Browsers
Atomics: T1555.003
T1552.002 Credentials in Registry
Atomics: T1552.002
T1056.002 GUI Input Capture
Atomics: T1056.002
T1552.006 Group Policy Preferences
Atomics: T1552.006
T1558.003 Kerberoasting
Atomics: T1558.003
T1056.001 Keylogging
Atomics: T1056.001
T1003.004 LSA Secrets
Atomics: T1003.004
T1003.001 LSASS Memory
Atomics: T1003.001
T1003.003 NTDS
Atomics: T1003.003
T1040 Network Sniffing
Atomics: T1040
T1003 OS Credential Dumping
Atomics: T1003
T1110.002 Password Cracking
Atomics: T1110.002
T1556.002 Password Filter DLL
Atomics: T1556.002
T1110.001 Password Guessing
Atomics: T1110.001
T1110.003 Password Spraying
Atomics: T1110.003
T1552.004 Private Keys
Atomics: T1552.004
T1003.002 Security Account Manager
Atomics: T1003.002