diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb index 19f508430988b..f9ff4e0698ed3 100644 --- a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb +++ b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb @@ -34,7 +34,8 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://sourceforge.net/projects/smbexec' ], - [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ] + [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb b/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb index b71ef4334db43..1167ef1538f39 100644 --- a/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb +++ b/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb @@ -34,7 +34,8 @@ def initialize(info = {}) # Rapid7 ETR advisory for CVE-2024-24919 [ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ], # Publication of first proof-of-concept exploit - [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ] + [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] ] ) ) diff --git a/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb b/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb index 88d12e4bb6ce9..57ecf99741435 100644 --- a/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb +++ b/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb @@ -31,7 +31,8 @@ def initialize(info = {}) %w[EDB 47288], ['URL', 'https://www.fortiguard.com/psirt/FG-IR-18-384'], ['URL', 'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf'], - ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'] + ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'], + ['ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW] ], 'Author' => [ 'Meh Chang', # discovery and PoC diff --git a/modules/auxiliary/gather/ldap_passwords.rb b/modules/auxiliary/gather/ldap_passwords.rb index 7070605b9de15..918f85b15205a 100644 --- a/modules/auxiliary/gather/ldap_passwords.rb +++ b/modules/auxiliary/gather/ldap_passwords.rb @@ -40,7 +40,8 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://blog.xpnsec.com/lapsv2-internals/'], - ['URL', 'https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py'] + ['URL', 'https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2020-07-23', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb b/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb index 7050a6c3a16cc..a655cefd29378 100644 --- a/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb +++ b/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb @@ -27,7 +27,8 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://seclists.org/fulldisclosure/2017/Feb/2'], - ['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm'] + ['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2017-01-31', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/gather/qnap_lfi.rb b/modules/auxiliary/gather/qnap_lfi.rb index 329d6d7bdf99f..f818bbbc25546 100644 --- a/modules/auxiliary/gather/qnap_lfi.rb +++ b/modules/auxiliary/gather/qnap_lfi.rb @@ -36,7 +36,8 @@ def initialize(info = {}) ['EDB', '48531'], ['URL', 'https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05'], ['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201911-25'], - ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'] + ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'], + ['ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW] ], 'DisclosureDate' => '2019-11-25', # Vendor advisory 'Actions' => [ diff --git a/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb b/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb index 3fa1f789db164..da5073b809758 100644 --- a/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb +++ b/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb @@ -29,7 +29,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2020-3952'], - ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'] + ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2020-04-09', # Vendor advisory 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/gather/windows_secrets_dump.rb b/modules/auxiliary/gather/windows_secrets_dump.rb index c6af474641d70..24b65817a0d62 100644 --- a/modules/auxiliary/gather/windows_secrets_dump.rb +++ b/modules/auxiliary/gather/windows_secrets_dump.rb @@ -68,6 +68,10 @@ module will fallback to the original implementation, which consists ], 'References' => [ ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py'], + ['ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER], + ['ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS], + ['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS], + ['ATT&CK', Mitre::Attack::Technique::T1003_006_DCSYNC] ], 'Notes' => { 'Reliability' => [], diff --git a/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb b/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb index d260f7e0b27dd..f97d4764d651b 100644 --- a/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb +++ b/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb @@ -19,7 +19,8 @@ def initialize(info = {}) }, 'References' => [ ['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/'], - ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83'] + ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'Author' => [ 'Karn Ganeshen ' diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb index 0ee84061b7f90..b9c76e0aff5c1 100644 --- a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb +++ b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb @@ -32,7 +32,10 @@ def initialize(info = {}) 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] + ] ) ) diff --git a/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb b/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb index 3ed9a457222fc..09492e3787fea 100644 --- a/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb +++ b/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb @@ -39,7 +39,8 @@ def initialize(info = {}) ['CVE', '2022-24989'], ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'], ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'], - ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990'] + ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2022-03-07', 'Platform' => ['unix', 'linux'], diff --git a/modules/post/aix/hashdump.rb b/modules/post/aix/hashdump.rb index 61333304034fc..dd2e0b7bccbf8 100644 --- a/modules/post/aix/hashdump.rb +++ b/modules/post/aix/hashdump.rb @@ -21,7 +21,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] + ] ) ) end diff --git a/modules/post/android/gather/hashdump.rb b/modules/post/android/gather/hashdump.rb index a85e205a1de3d..701a0c36cfe7b 100644 --- a/modules/post/android/gather/hashdump.rb +++ b/modules/post/android/gather/hashdump.rb @@ -30,6 +30,7 @@ def initialize(info = {}) 'References' => [ ['URL', 'https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/'], ['URL', 'https://hashcat.net/forum/thread-2202.html'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING], ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/bsd/gather/hashdump.rb b/modules/post/bsd/gather/hashdump.rb index 2fd14a17bffe7..c77be067949b6 100644 --- a/modules/post/bsd/gather/hashdump.rb +++ b/modules/post/bsd/gather/hashdump.rb @@ -22,7 +22,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] + ] ) ) end diff --git a/modules/post/linux/gather/f5_loot_mcp.rb b/modules/post/linux/gather/f5_loot_mcp.rb index ecdfb929cc2e4..b8be0a19489dd 100644 --- a/modules/post/linux/gather/f5_loot_mcp.rb +++ b/modules/post/linux/gather/f5_loot_mcp.rb @@ -28,6 +28,7 @@ def initialize(info = {}) ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING], ], 'DisclosureDate' => '2022-11-16', 'Notes' => { diff --git a/modules/post/linux/gather/hashdump.rb b/modules/post/linux/gather/hashdump.rb index 7e4fe1629fa9e..6184c3d8c1148 100644 --- a/modules/post/linux/gather/hashdump.rb +++ b/modules/post/linux/gather/hashdump.rb @@ -21,7 +21,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] + ] ) ) end diff --git a/modules/post/linux/gather/manageengine_password_manager_creds.rb b/modules/post/linux/gather/manageengine_password_manager_creds.rb index 0e161be1d6bf5..53f8f93c74a16 100644 --- a/modules/post/linux/gather/manageengine_password_manager_creds.rb +++ b/modules/post/linux/gather/manageengine_password_manager_creds.rb @@ -39,7 +39,8 @@ def initialize(info = {}) ], 'References' => [ [ 'URL', 'https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/' ], - [ 'URL', 'https://github.com/trustedsec/Zoinks/blob/main/zoinks.py' ] + [ 'URL', 'https://github.com/trustedsec/Zoinks/blob/main/zoinks.py' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [ CRASH_SAFE ], diff --git a/modules/post/linux/gather/mimipenguin.rb b/modules/post/linux/gather/mimipenguin.rb index 800dddfc109cb..0f85040f74ce6 100644 --- a/modules/post/linux/gather/mimipenguin.rb +++ b/modules/post/linux/gather/mimipenguin.rb @@ -37,7 +37,9 @@ def initialize(info = {}) [ 'URL', 'https://github.com/huntergregal/mimipenguin' ], [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919' ], [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490' ], - [ 'CVE', '2018-20781' ] + [ 'CVE', '2018-20781' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_007_PROC_FILESYSTEM ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] ], 'DisclosureDate' => '2018-05-23', 'DefaultTarget' => 0, diff --git a/modules/post/linux/gather/openvpn_credentials.rb b/modules/post/linux/gather/openvpn_credentials.rb index 633c8023fcaad..ab19dd4295837 100644 --- a/modules/post/linux/gather/openvpn_credentials.rb +++ b/modules/post/linux/gather/openvpn_credentials.rb @@ -27,7 +27,8 @@ def initialize(info = {}) 'Platform' => ['linux'], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ - ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'] + ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_007_PROC_FILESYSTEM ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/linux/gather/vcenter_secrets_dump.rb b/modules/post/linux/gather/vcenter_secrets_dump.rb index e377d40ff020e..d95d6228e99c3 100644 --- a/modules/post/linux/gather/vcenter_secrets_dump.rb +++ b/modules/post/linux/gather/vcenter_secrets_dump.rb @@ -57,7 +57,8 @@ def initialize(info = {}) [ 'URL', 'https://github.com/shmilylty/vhost_password_decrypt' ], [ 'CVE', '2022-22948' ], [ 'URL', 'https://pentera.io/blog/information-disclosure-in-vmware-vcenter/' ], - [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ] + [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [ CRASH_SAFE ], diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb index 0958403063950..b53d9858bc4fb 100644 --- a/modules/post/osx/gather/hashdump.rb +++ b/modules/post/osx/gather/hashdump.rb @@ -35,7 +35,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) register_options([ diff --git a/modules/post/solaris/gather/hashdump.rb b/modules/post/solaris/gather/hashdump.rb index 67ec51d16b463..39db475e8dd95 100644 --- a/modules/post/solaris/gather/hashdump.rb +++ b/modules/post/solaris/gather/hashdump.rb @@ -23,7 +23,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ] + ] ) ) end diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index d8eb9abd3b6d6..f9a1876564fab 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -26,7 +26,8 @@ def initialize(info = {}) 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'References' => [ - ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'] + ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'], + ['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/windows/gather/credentials/credential_collector.rb b/modules/post/windows/gather/credentials/credential_collector.rb index 46009540f0619..a610bf262d1e6 100644 --- a/modules/post/windows/gather/credentials/credential_collector.rb +++ b/modules/post/windows/gather/credentials/credential_collector.rb @@ -30,7 +30,10 @@ def initialize(info = {}) priv_passwd_get_sam_hashes ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb index eed06492c648e..0e792f2c060aa 100644 --- a/modules/post/windows/gather/credentials/domain_hashdump.rb +++ b/modules/post/windows/gather/credentials/domain_hashdump.rb @@ -40,7 +40,10 @@ def initialize(info = {}) stdapi_fs_stat ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ] + ] ) ) deregister_options('SMBUser', 'SMBPass', 'SMBDomain') diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb index 53b0eb84d6cbc..41207b5b39233 100644 --- a/modules/post/windows/gather/credentials/enum_cred_store.rb +++ b/modules/post/windows/gather/credentials/enum_cred_store.rb @@ -37,7 +37,10 @@ def initialize(info = {}) stdapi_sys_process_memory_write ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb index f15278f6715a1..4da11f55c18e9 100644 --- a/modules/post/windows/gather/credentials/enum_laps.rb +++ b/modules/post/windows/gather/credentials/enum_laps.rb @@ -42,7 +42,10 @@ def initialize(info = {}) stdapi_net_resolve_hosts ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) diff --git a/modules/post/windows/gather/credentials/sso.rb b/modules/post/windows/gather/credentials/sso.rb index 05861cf316942..413c9b70af2c3 100644 --- a/modules/post/windows/gather/credentials/sso.rb +++ b/modules/post/windows/gather/credentials/sso.rb @@ -34,7 +34,10 @@ def initialize(info = {}) kiwi_exec_cmd ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_001_LSASS_MEMORY ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb index 9b361f58ea2ef..fb9c7496b0159 100644 --- a/modules/post/windows/gather/credentials/windows_autologin.rb +++ b/modules/post/windows/gather/credentials/windows_autologin.rb @@ -28,7 +28,8 @@ def initialize(info = {}) 'SessionTypes' => [ 'meterpreter' ], 'References' => [ [ 'URL', 'http://support.microsoft.com/kb/315231' ], - [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ] + [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb b/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb index 2233e4cea39a4..e81c9ae1fb162 100644 --- a/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb +++ b/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb @@ -27,7 +27,8 @@ def initialize(info = {}) ['CVE', '2021-36934'], ['URL', 'https://github.com/GossiTheDog/HiveNightmare'], ['URL', 'https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652'], - ['URL', 'https://github.com/romarroca/SeriousSam'] + ['URL', 'https://github.com/romarroca/SeriousSam'], + ['ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER] ], 'DisclosureDate' => '2021-07-20', 'Platform' => [ 'win' ], diff --git a/modules/post/windows/gather/file_from_raw_ntfs.rb b/modules/post/windows/gather/file_from_raw_ntfs.rb index 67914bda5e045..8c5e39f71552c 100644 --- a/modules/post/windows/gather/file_from_raw_ntfs.rb +++ b/modules/post/windows/gather/file_from_raw_ntfs.rb @@ -24,7 +24,8 @@ def initialize(info = {}) 'SessionTypes' => ['meterpreter'], 'Author' => ['Danil Bazin '], # @danilbaz 'References' => [ - [ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ] + [ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/windows/gather/hashdump.rb b/modules/post/windows/gather/hashdump.rb index 60cb56daaf697..5baa57dfe670d 100644 --- a/modules/post/windows/gather/hashdump.rb +++ b/modules/post/windows/gather/hashdump.rb @@ -30,7 +30,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER ] + ] ) ) diff --git a/modules/post/windows/gather/lsa_secrets.rb b/modules/post/windows/gather/lsa_secrets.rb index 322cb7b6ffec4..12f225a9487d7 100644 --- a/modules/post/windows/gather/lsa_secrets.rb +++ b/modules/post/windows/gather/lsa_secrets.rb @@ -26,7 +26,10 @@ def initialize(info = {}) 'Reliability' => [], 'SideEffects' => [] }, - 'Author' => ['Rob Bathurst '] + 'Author' => ['Rob Bathurst '], + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS ] + ] ) ) register_options([ diff --git a/modules/post/windows/gather/memory_dump.rb b/modules/post/windows/gather/memory_dump.rb index e8d6dfab3cd97..153f03740352b 100644 --- a/modules/post/windows/gather/memory_dump.rb +++ b/modules/post/windows/gather/memory_dump.rb @@ -45,7 +45,10 @@ def initialize(info = {}) stdapi_sys_process_getpid ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_001_LSASS_MEMORY ] + ] ) ) register_options([ diff --git a/modules/post/windows/gather/ntds_grabber.rb b/modules/post/windows/gather/ntds_grabber.rb index 42abcb7006474..e7ad609609f9a 100644 --- a/modules/post/windows/gather/ntds_grabber.rb +++ b/modules/post/windows/gather/ntds_grabber.rb @@ -21,7 +21,9 @@ def initialize(info = {}) }, 'License' => MSF_LICENSE, 'Author' => ['Koen Riepe (koen.riepe@fox-it.com)'], - 'References' => [''], + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ] + ], 'Platform' => [ 'win' ], 'Arch' => [ 'x86', 'x64' ], 'SessionTypes' => [ 'meterpreter' ], diff --git a/modules/post/windows/gather/smart_hashdump.rb b/modules/post/windows/gather/smart_hashdump.rb index ca6a99a4a104b..447f13b359168 100644 --- a/modules/post/windows/gather/smart_hashdump.rb +++ b/modules/post/windows/gather/smart_hashdump.rb @@ -40,7 +40,10 @@ def initialize(info = {}) stdapi_sys_process_getpid ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER ] + ] ) ) register_options( diff --git a/modules/post/windows/manage/kerberos_tickets.rb b/modules/post/windows/manage/kerberos_tickets.rb index 075cbb1e1595c..feaf11c9e2e16 100644 --- a/modules/post/windows/manage/kerberos_tickets.rb +++ b/modules/post/windows/manage/kerberos_tickets.rb @@ -50,7 +50,8 @@ def initialize(info = {}) ], 'References' => [ [ 'URL', 'https://github.com/GhostPack/Rubeus' ], - [ 'URL', 'https://github.com/wavvs/nanorobeus' ] + [ 'URL', 'https://github.com/wavvs/nanorobeus' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS ] ], 'Platform' => ['win'], 'SessionTypes' => %w[meterpreter],