-
Notifications
You must be signed in to change notification settings - Fork 22
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Summary: Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 5/10 and it performs the follow function: (Extracting passwords with findstr) Extracting Credentials from Files. Upon execution, the contents of files that contain the word "pass" will be displayed. Reviewed By: godlovepenn Differential Revision: D62378006
- Loading branch information
1 parent
d58fb90
commit 6d1f758
Showing
2 changed files
with
79 additions
and
0 deletions.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
ttps/credential-access/windows/extracting-passwords/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
# Extracting Passwords with findstr | ||
|
||
![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue) | ||
|
||
This TTP extracts credentials from files. Upon execution, the contents of files that contain the word "pass" will be displayed. | ||
|
||
Derived from [Atomic Red Team T1552.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md#atomic-test-4---extracting-passwords-with-findstr) | ||
|
||
## Arguments | ||
- **password**: a bool flag specifying the search be more granular and display files that contain the word 'password' | ||
|
||
## Pre-requisites | ||
- Windows operating system equipped with powershell | ||
|
||
## Examples | ||
You can run the TTP using the following example (after updating the arguments): | ||
```bash | ||
ttpforge run forgearmory//credential-access/windows/extracting-passwords/extracting-passwords.yaml | ||
``` | ||
```bash | ||
ttpforge run forgearmory//credential-access/windows/extracting-passwords/extracting-passwords.yaml --arg password=true | ||
``` | ||
|
||
## Steps | ||
1. **extract_cred_pass** : This step displays the contents of files that contain the word "pass" ("password" if argument is set to true) | ||
|
||
## Manual Reproduction | ||
```bash | ||
#Displays the contents of files that contain the word "pass" | ||
|
||
findstr /si pass *.xml *.doc *.txt *.xls | ||
|
||
#Displays the contents of files that contain the word "password" | ||
|
||
findstr /si password *.xml *.doc *.txt *.xls | ||
``` | ||
|
||
## MITRE ATT&CK Mapping | ||
|
||
- **Tactics**: | ||
- TA0006 Credential Access | ||
- **Techniques**: | ||
- T1552 Unsecured Credentials | ||
- **Subtechniques**: | ||
- T1552.001 Credentials In Files |
34 changes: 34 additions & 0 deletions
34
ttps/credential-access/windows/extracting-passwords/extracting-passwords.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
--- | ||
api_version: 2.0 | ||
uuid: 6c0992c3-a7aa-41d6-a0db-6cb3e60ff55e | ||
name: Extracting passwords with findstr | ||
description: | | ||
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "pass" will be displayed. | ||
Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md#atomic-test-4---extracting-passwords-with-findstr | ||
requirements: | ||
platforms: | ||
- os: windows | ||
mitre: | ||
tactics: | ||
- TA0006 Credential Access | ||
techniques: | ||
- T1552 Unsecured Credentials | ||
subtechniques: | ||
- T1552.001 Credentials In Files | ||
|
||
args: | ||
- name: password | ||
description: Searches more granularly the contents of the files that contain the word 'password' | ||
type: bool | ||
default: false | ||
|
||
steps: | ||
- name: extract_cred_pass | ||
executor: powershell | ||
{{if .Args.password}} | ||
description: Displaying the contents of files that contain the word "password". | ||
inline: findstr /si password *.xml *.doc *.txt *.xls | ||
{{else}} | ||
description: Displaying the contents of files that contain the word "pass". | ||
inline: findstr /si pass *.xml *.doc *.txt *.xls | ||
{{end}} |