Windows Atomic Tests to TTP #5

Summary: Converting atomics to ttps in Windows Atomic Red Team Tests This ttp was 5/10 and it performs the follow function: (Extracting passwords with findstr) Extracting Credentials from Files. Upon execution, the contents of files that contain the word "pass" will be displayed. Reviewed By: godlovepenn Differential Revision: D62378006
facebookincubator · Sep 12, 2024 · 6d1f758 · 6d1f758
1 parent d58fb90
commit 6d1f758
Show file tree

Hide file tree

Showing 2 changed files with 79 additions and 0 deletions.
diff --git a/ttps/credential-access/windows/extracting-passwords/README.md b/ttps/credential-access/windows/extracting-passwords/README.md
@@ -0,0 +1,45 @@
+# Extracting Passwords with findstr
+
+![Meta TTP](https://img.shields.io/badge/Meta_TTP-blue)
+
+This TTP extracts credentials from files. Upon execution, the contents of files that contain the word "pass" will be displayed.
+
+Derived from [Atomic Red Team T1552.001](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md#atomic-test-4---extracting-passwords-with-findstr)
+
+## Arguments
+- **password**: a bool flag specifying the search be more granular and display files that contain the word 'password'
+
+## Pre-requisites
+- Windows operating system equipped with powershell
+
+## Examples
+You can run the TTP using the following example (after updating the arguments):
+```bash
+ttpforge run forgearmory//credential-access/windows/extracting-passwords/extracting-passwords.yaml
+```
+```bash
+ttpforge run forgearmory//credential-access/windows/extracting-passwords/extracting-passwords.yaml --arg password=true
+```
+
+## Steps
+1. **extract_cred_pass** : This step displays the contents of files that contain the word "pass" ("password" if argument is set to true)
+
+## Manual Reproduction
+```bash
+#Displays the contents of files that contain the word "pass"
+
+findstr /si pass *.xml *.doc *.txt *.xls
+
+#Displays the contents of files that contain the word "password"
+
+findstr /si password *.xml *.doc *.txt *.xls
+```
+
+## MITRE ATT&CK Mapping
+
+- **Tactics**:
+    - TA0006 Credential Access
+- **Techniques**:
+    - T1552 Unsecured Credentials
+- **Subtechniques**:
+    - T1552.001 Credentials In Files
diff --git a/ttps/credential-access/windows/extracting-passwords/extracting-passwords.yaml b/ttps/credential-access/windows/extracting-passwords/extracting-passwords.yaml
@@ -0,0 +1,34 @@
+---
+api_version: 2.0
+uuid: 6c0992c3-a7aa-41d6-a0db-6cb3e60ff55e
+name: Extracting passwords with findstr
+description: |
+  Extracting Credentials from Files. Upon execution, the contents of files that contain the word "pass" will be displayed.
+  Derived from https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md#atomic-test-4---extracting-passwords-with-findstr
+requirements:
+  platforms:
+    - os: windows
+mitre:
+  tactics:
+    - TA0006 Credential Access
+  techniques:
+    - T1552 Unsecured Credentials
+  subtechniques:
+    - T1552.001 Credentials In Files
+
+args:
+  - name: password
+    description: Searches more granularly the contents of the files that contain the word 'password'
+    type: bool
+    default: false
+
+steps:
+  - name: extract_cred_pass
+    executor: powershell
+      {{if .Args.password}}
+    description: Displaying the contents of files that contain the word "password".
+    inline: findstr /si password *.xml *.doc *.txt *.xls
+      {{else}}
+    description: Displaying the contents of files that contain the word "pass".
+    inline: findstr /si pass *.xml *.doc *.txt *.xls
+      {{end}}