From 7ce2bdc97954ec071ef8e9034b0ad1642d340365 Mon Sep 17 00:00:00 2001 From: Christophe De La Fuente Date: Mon, 8 Sep 2025 17:30:59 +0200 Subject: [PATCH] Add T1003 "OS credential dumping" MITRE technique --- modules/auxiliary/admin/smb/psexec_ntdsgrab.rb | 3 ++- .../gather/checkpoint_gateway_fileread_cve_2024_24919.rb | 3 ++- .../auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb | 3 ++- modules/auxiliary/gather/ldap_passwords.rb | 3 ++- modules/auxiliary/gather/qnap_backtrace_admin_hash.rb | 3 ++- modules/auxiliary/gather/qnap_lfi.rb | 3 ++- modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb | 3 ++- modules/auxiliary/gather/windows_secrets_dump.rb | 1 + modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb | 3 ++- .../auxiliary/scanner/ssh/apache_karaf_command_execution.rb | 5 ++++- .../linux/http/terramaster_unauth_rce_cve_2022_24990.rb | 3 ++- modules/post/aix/hashdump.rb | 5 ++++- modules/post/android/gather/hashdump.rb | 1 + modules/post/bsd/gather/hashdump.rb | 5 ++++- modules/post/linux/gather/f5_loot_mcp.rb | 1 + modules/post/linux/gather/hashdump.rb | 5 ++++- .../post/linux/gather/manageengine_password_manager_creds.rb | 3 ++- modules/post/linux/gather/mimipenguin.rb | 3 ++- modules/post/linux/gather/openvpn_credentials.rb | 3 ++- modules/post/linux/gather/vcenter_secrets_dump.rb | 3 ++- modules/post/osx/gather/hashdump.rb | 5 ++++- modules/post/solaris/gather/hashdump.rb | 5 ++++- modules/post/windows/gather/cachedump.rb | 3 ++- .../post/windows/gather/credentials/credential_collector.rb | 5 ++++- modules/post/windows/gather/credentials/domain_hashdump.rb | 5 ++++- modules/post/windows/gather/credentials/enum_cred_store.rb | 5 ++++- modules/post/windows/gather/credentials/enum_laps.rb | 5 ++++- 27 files changed, 71 insertions(+), 24 deletions(-) diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb index 19f508430988b..ae89489488e5b 100644 --- a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb +++ b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb @@ -34,7 +34,8 @@ def initialize(info = {}) 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://sourceforge.net/projects/smbexec' ], - [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ] + [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb b/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb index b71ef4334db43..0ad46809f8cec 100644 --- a/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb +++ b/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb @@ -34,7 +34,8 @@ def initialize(info = {}) # Rapid7 ETR advisory for CVE-2024-24919 [ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ], # Publication of first proof-of-concept exploit - [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ] + [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ] ) ) diff --git a/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb b/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb index 88d12e4bb6ce9..fcf5ad12d7e8f 100644 --- a/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb +++ b/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb @@ -31,7 +31,8 @@ def initialize(info = {}) %w[EDB 47288], ['URL', 'https://www.fortiguard.com/psirt/FG-IR-18-384'], ['URL', 'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf'], - ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'] + ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'Author' => [ 'Meh Chang', # discovery and PoC diff --git a/modules/auxiliary/gather/ldap_passwords.rb b/modules/auxiliary/gather/ldap_passwords.rb index 7070605b9de15..918f85b15205a 100644 --- a/modules/auxiliary/gather/ldap_passwords.rb +++ b/modules/auxiliary/gather/ldap_passwords.rb @@ -40,7 +40,8 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://blog.xpnsec.com/lapsv2-internals/'], - ['URL', 'https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py'] + ['URL', 'https://github.com/fortra/impacket/blob/master/examples/GetLAPSPassword.py'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2020-07-23', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb b/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb index 7050a6c3a16cc..a655cefd29378 100644 --- a/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb +++ b/modules/auxiliary/gather/qnap_backtrace_admin_hash.rb @@ -27,7 +27,8 @@ def initialize(info = {}) ], 'References' => [ ['URL', 'https://seclists.org/fulldisclosure/2017/Feb/2'], - ['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm'] + ['URL', 'https://en.wikipedia.org/wiki/Binary_search_algorithm'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2017-01-31', 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/gather/qnap_lfi.rb b/modules/auxiliary/gather/qnap_lfi.rb index 329d6d7bdf99f..e2c9cf3e940c1 100644 --- a/modules/auxiliary/gather/qnap_lfi.rb +++ b/modules/auxiliary/gather/qnap_lfi.rb @@ -36,7 +36,8 @@ def initialize(info = {}) ['EDB', '48531'], ['URL', 'https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05'], ['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201911-25'], - ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'] + ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2019-11-25', # Vendor advisory 'Actions' => [ diff --git a/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb b/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb index 3fa1f789db164..da5073b809758 100644 --- a/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb +++ b/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb @@ -29,7 +29,8 @@ def initialize(info = {}) ], 'References' => [ ['CVE', '2020-3952'], - ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'] + ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2020-04-09', # Vendor advisory 'License' => MSF_LICENSE, diff --git a/modules/auxiliary/gather/windows_secrets_dump.rb b/modules/auxiliary/gather/windows_secrets_dump.rb index c6af474641d70..f2c330df05567 100644 --- a/modules/auxiliary/gather/windows_secrets_dump.rb +++ b/modules/auxiliary/gather/windows_secrets_dump.rb @@ -68,6 +68,7 @@ module will fallback to the original implementation, which consists ], 'References' => [ ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING], ], 'Notes' => { 'Reliability' => [], diff --git a/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb b/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb index d260f7e0b27dd..f97d4764d651b 100644 --- a/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb +++ b/modules/auxiliary/scanner/http/epmp1000_dump_hashes.rb @@ -19,7 +19,8 @@ def initialize(info = {}) }, 'References' => [ ['URL', 'http://ipositivesecurity.com/2015/11/28/cambium-epmp-1000-multiple-vulnerabilities/'], - ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83'] + ['URL', 'https://support.cambiumnetworks.com/file/476262a0256fdd8be0e595e51f5112e0f9700f83'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'Author' => [ 'Karn Ganeshen ' diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb index 0ee84061b7f90..ecfd5b1ef3e92 100644 --- a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb +++ b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb @@ -32,7 +32,10 @@ def initialize(info = {}) 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) diff --git a/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb b/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb index 3ed9a457222fc..09492e3787fea 100644 --- a/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb +++ b/modules/exploits/linux/http/terramaster_unauth_rce_cve_2022_24990.rb @@ -39,7 +39,8 @@ def initialize(info = {}) ['CVE', '2022-24989'], ['URL', 'https://octagon.net/blog/2022/03/07/cve-2022-24990-terrmaster-tos-unauthenticated-remote-command-execution-via-php-object-instantiation/'], ['URL', 'https://github.com/0xf4n9x/CVE-2022-24990'], - ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990'] + ['URL', 'https://attackerkb.com/topics/h8YKVKx21t/cve-2022-24990'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'DisclosureDate' => '2022-03-07', 'Platform' => ['unix', 'linux'], diff --git a/modules/post/aix/hashdump.rb b/modules/post/aix/hashdump.rb index 61333304034fc..cce164039dcbf 100644 --- a/modules/post/aix/hashdump.rb +++ b/modules/post/aix/hashdump.rb @@ -21,7 +21,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/android/gather/hashdump.rb b/modules/post/android/gather/hashdump.rb index a85e205a1de3d..701a0c36cfe7b 100644 --- a/modules/post/android/gather/hashdump.rb +++ b/modules/post/android/gather/hashdump.rb @@ -30,6 +30,7 @@ def initialize(info = {}) 'References' => [ ['URL', 'https://www.pentestpartners.com/security-blog/cracking-android-passwords-a-how-to/'], ['URL', 'https://hashcat.net/forum/thread-2202.html'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING], ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/bsd/gather/hashdump.rb b/modules/post/bsd/gather/hashdump.rb index 2fd14a17bffe7..fa7186a6f5a2d 100644 --- a/modules/post/bsd/gather/hashdump.rb +++ b/modules/post/bsd/gather/hashdump.rb @@ -22,7 +22,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/linux/gather/f5_loot_mcp.rb b/modules/post/linux/gather/f5_loot_mcp.rb index ecdfb929cc2e4..b8be0a19489dd 100644 --- a/modules/post/linux/gather/f5_loot_mcp.rb +++ b/modules/post/linux/gather/f5_loot_mcp.rb @@ -28,6 +28,7 @@ def initialize(info = {}) ['URL', 'https://github.com/rbowes-r7/refreshing-mcp-tool'], # Original PoC ['URL', 'https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-41800-fixed-f5-big-ip-and-icontrol-rest-vulnerabilities-and-exposures/'], ['URL', 'https://support.f5.com/csp/article/K97843387'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING], ], 'DisclosureDate' => '2022-11-16', 'Notes' => { diff --git a/modules/post/linux/gather/hashdump.rb b/modules/post/linux/gather/hashdump.rb index 7e4fe1629fa9e..b86c01c8b5d85 100644 --- a/modules/post/linux/gather/hashdump.rb +++ b/modules/post/linux/gather/hashdump.rb @@ -21,7 +21,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/linux/gather/manageengine_password_manager_creds.rb b/modules/post/linux/gather/manageengine_password_manager_creds.rb index 0e161be1d6bf5..53f8f93c74a16 100644 --- a/modules/post/linux/gather/manageengine_password_manager_creds.rb +++ b/modules/post/linux/gather/manageengine_password_manager_creds.rb @@ -39,7 +39,8 @@ def initialize(info = {}) ], 'References' => [ [ 'URL', 'https://www.trustedsec.com/blog/the-curious-case-of-the-password-database/' ], - [ 'URL', 'https://github.com/trustedsec/Zoinks/blob/main/zoinks.py' ] + [ 'URL', 'https://github.com/trustedsec/Zoinks/blob/main/zoinks.py' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [ CRASH_SAFE ], diff --git a/modules/post/linux/gather/mimipenguin.rb b/modules/post/linux/gather/mimipenguin.rb index 800dddfc109cb..8073cf5bdf895 100644 --- a/modules/post/linux/gather/mimipenguin.rb +++ b/modules/post/linux/gather/mimipenguin.rb @@ -37,7 +37,8 @@ def initialize(info = {}) [ 'URL', 'https://github.com/huntergregal/mimipenguin' ], [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919' ], [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490' ], - [ 'CVE', '2018-20781' ] + [ 'CVE', '2018-20781' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'DisclosureDate' => '2018-05-23', 'DefaultTarget' => 0, diff --git a/modules/post/linux/gather/openvpn_credentials.rb b/modules/post/linux/gather/openvpn_credentials.rb index 633c8023fcaad..9c83cc2e9dab0 100644 --- a/modules/post/linux/gather/openvpn_credentials.rb +++ b/modules/post/linux/gather/openvpn_credentials.rb @@ -27,7 +27,8 @@ def initialize(info = {}) 'Platform' => ['linux'], 'SessionTypes' => ['shell', 'meterpreter'], 'References' => [ - ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'] + ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/linux/gather/vcenter_secrets_dump.rb b/modules/post/linux/gather/vcenter_secrets_dump.rb index e377d40ff020e..d95d6228e99c3 100644 --- a/modules/post/linux/gather/vcenter_secrets_dump.rb +++ b/modules/post/linux/gather/vcenter_secrets_dump.rb @@ -57,7 +57,8 @@ def initialize(info = {}) [ 'URL', 'https://github.com/shmilylty/vhost_password_decrypt' ], [ 'CVE', '2022-22948' ], [ 'URL', 'https://pentera.io/blog/information-disclosure-in-vmware-vcenter/' ], - [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ] + [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ], + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] ], 'Notes' => { 'Stability' => [ CRASH_SAFE ], diff --git a/modules/post/osx/gather/hashdump.rb b/modules/post/osx/gather/hashdump.rb index 0958403063950..b53d9858bc4fb 100644 --- a/modules/post/osx/gather/hashdump.rb +++ b/modules/post/osx/gather/hashdump.rb @@ -35,7 +35,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) register_options([ diff --git a/modules/post/solaris/gather/hashdump.rb b/modules/post/solaris/gather/hashdump.rb index 67ec51d16b463..c046703e33f25 100644 --- a/modules/post/solaris/gather/hashdump.rb +++ b/modules/post/solaris/gather/hashdump.rb @@ -23,7 +23,10 @@ def initialize(info = {}) 'Stability' => [CRASH_SAFE], 'SideEffects' => [], 'Reliability' => [] - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb index d8eb9abd3b6d6..05b6d83191b37 100644 --- a/modules/post/windows/gather/cachedump.rb +++ b/modules/post/windows/gather/cachedump.rb @@ -26,7 +26,8 @@ def initialize(info = {}) 'Platform' => ['win'], 'SessionTypes' => ['meterpreter'], 'References' => [ - ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'] + ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'], + ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING] ], 'Notes' => { 'Stability' => [CRASH_SAFE], diff --git a/modules/post/windows/gather/credentials/credential_collector.rb b/modules/post/windows/gather/credentials/credential_collector.rb index 46009540f0619..a610bf262d1e6 100644 --- a/modules/post/windows/gather/credentials/credential_collector.rb +++ b/modules/post/windows/gather/credentials/credential_collector.rb @@ -30,7 +30,10 @@ def initialize(info = {}) priv_passwd_get_sam_hashes ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb index eed06492c648e..60ce6f4e87905 100644 --- a/modules/post/windows/gather/credentials/domain_hashdump.rb +++ b/modules/post/windows/gather/credentials/domain_hashdump.rb @@ -40,7 +40,10 @@ def initialize(info = {}) stdapi_fs_stat ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) deregister_options('SMBUser', 'SMBPass', 'SMBDomain') diff --git a/modules/post/windows/gather/credentials/enum_cred_store.rb b/modules/post/windows/gather/credentials/enum_cred_store.rb index 53b0eb84d6cbc..41207b5b39233 100644 --- a/modules/post/windows/gather/credentials/enum_cred_store.rb +++ b/modules/post/windows/gather/credentials/enum_cred_store.rb @@ -37,7 +37,10 @@ def initialize(info = {}) stdapi_sys_process_memory_write ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) ) end diff --git a/modules/post/windows/gather/credentials/enum_laps.rb b/modules/post/windows/gather/credentials/enum_laps.rb index f15278f6715a1..4da11f55c18e9 100644 --- a/modules/post/windows/gather/credentials/enum_laps.rb +++ b/modules/post/windows/gather/credentials/enum_laps.rb @@ -42,7 +42,10 @@ def initialize(info = {}) stdapi_net_resolve_hosts ] } - } + }, + 'References' => [ + [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ] + ] ) )