Open Patrick-DE opened 1 year ago
{ "name": "Internal-Monologue", "phases": ["Credential Access"], "category": "Credential Dumping", "stealthy": false, "platforms": ["Windows"], "source": "https://github.com/eladshamir/Internal-Monologue", "description": "Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS", "undetected": [], "detected": ["Windows Defender (AV)", "MDE", "Symantec", "CrowdStrike"], "commands": [ { "id": "123e4567-e89b-12d3-a456-426614174001", "name": "Retrieve NTLM Hashes", "description": "Command to retrieve NTLM hashes without touching LSASS", "cmd": "InternalMonologue.exe", "tag": "Credential Dumping", "results": [ { "tag": "DATA::NTLM_HASHES" } ], "requirements": { "and": [ { "tag": "MACHINE::HOST" }, { "tag": "PRIVS:ADMIN" } ] }, "detected": ["Windows Defender (AV)", "MDE", "Symantec", "CrowdStrike"], "undetected": [] }, { "id": "123e4567-e89b-12d3-a456-426614174002", "name": "Downgrade NetNTLM Responses", "description": "Command to downgrade NetNTLM responses to NTLMv1", "cmd": "InternalMonologue.exe /downgrade", "tag": "Credential Dumping", "results": [ { "tag": "DATA::DOWNGRADED_NETNTLM_RESPONSES" } ], "requirements": { "and": [ { "tag": "MACHINE::HOST" }, { "tag": "PRIVS:ADMIN" } ] }, "detected": ["Windows Defender (AV)", "MDE", "Symantec", "CrowdStrike"], "undetected": [] } ], "references": [] }