Place for resources used during the Mordor Detection hackathon event featuring APT29 ATT&CK evals datasets
GNU General Public License v3.0
133
stars
41
forks
source link
14.B) Windows Management Instrumentation, Remote File Copy, Credential Dumping, Obfuscated Files or Information, Process Discovery, Deobfuscate/Decode Files or Information #35
The attacker then uses the new elevated access to create and execute code within a custom WMI class (T1047) that downloads (T1105) and executes Mimikatz to dump plain-text credentials (T1003), which are parsed, encoded, and stored in the WMI class (T1027). After tracking that the WMI execution has completed (T1057), the attacker reads the plaintext credentials stored within the WMI class (T1140)
Description
The attacker then uses the new elevated access to create and execute code within a custom WMI class (T1047) that downloads (T1105) and executes Mimikatz to dump plain-text credentials (T1003), which are parsed, encoded, and stored in the WMI class (T1027). After tracking that the WMI execution has completed (T1057), the attacker reads the plaintext credentials stored within the WMI class (T1140)