search

Patrick-DE / RTT-Docs

Public repository for the techniques and tools shown on rtt.secdu.de
GNU Affero General Public License v3.0
1 stars 0 forks source link

New tool: Internal-Monologue #110

Open Patrick-DE opened 1 year ago

Patrick-DE commented 1 year ago 
{
  "name": "Internal-Monologue",
  "phases": ["Credential Access"],
  "category": "Credential Dumping",
  "stealthy": false,
  "platforms": ["Windows"],
  "source": "https://github.com/eladshamir/Internal-Monologue",
  "description": "Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS",
  "undetected": [],
  "detected": ["Windows Defender (AV)", "MDE", "Symantec", "CrowdStrike"],
  "commands": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174001",
      "name": "Retrieve NTLM Hashes",
      "description": "Command to retrieve NTLM hashes without touching LSASS",
      "cmd": "InternalMonologue.exe",
      "tag": "Credential Dumping",
      "results": [
        {
          "tag": "DATA::NTLM_HASHES"
        }
      ],
      "requirements": {
        "and": [
          {
            "tag": "MACHINE::HOST"
          },
          {
            "tag": "PRIVS:ADMIN"
          }
        ]
      },
      "detected": ["Windows Defender (AV)", "MDE", "Symantec", "CrowdStrike"],
      "undetected": []
    },
    {
      "id": "123e4567-e89b-12d3-a456-426614174002",
      "name": "Downgrade NetNTLM Responses",
      "description": "Command to downgrade NetNTLM responses to NTLMv1",
      "cmd": "InternalMonologue.exe /downgrade",
      "tag": "Credential Dumping",
      "results": [
        {
          "tag": "DATA::DOWNGRADED_NETNTLM_RESPONSES"
        }
      ],
      "requirements": {
        "and": [
          {
            "tag": "MACHINE::HOST"
          },
          {
            "tag": "PRIVS:ADMIN"
          }
        ]
      },
      "detected": ["Windows Defender (AV)", "MDE", "Symantec", "CrowdStrike"],
      "undetected": []
    }
  ],
  "references": []
}