Use sub-technique and add missing modules

cdelafuente-r7 · cdelafuente-r7 · commit 788b9c27b49f · 2025-09-16T18:39:23.000+02:00
diff --git a/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb b/modules/auxiliary/admin/smb/psexec_ntdsgrab.rb
@@ -35,7 +35,7 @@ def initialize(info = {})
         'References' => [
           [ 'URL', 'http://sourceforge.net/projects/smbexec' ],
           [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb b/modules/auxiliary/gather/checkpoint_gateway_fileread_cve_2024_24919.rb
@@ -35,7 +35,7 @@ def initialize(info = {})
           [ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ],
           # Publication of first proof-of-concept exploit
           [ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ]
       )
     )
diff --git a/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb b/modules/auxiliary/gather/fortios_vpnssl_traversal_creds_leak.rb
@@ -32,7 +32,7 @@ def initialize(info = {})
           ['URL', 'https://www.fortiguard.com/psirt/FG-IR-18-384'],
           ['URL', 'https://i.blackhat.com/USA-19/Wednesday/us-19-Tsai-Infiltrating-Corporate-Intranet-Like-NSA.pdf'],
           ['URL', 'https://devco.re/blog/2019/08/09/attacking-ssl-vpn-part-2-breaking-the-Fortigate-ssl-vpn/'],
-          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
+          ['ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW]
         ],
         'Author' => [
           'Meh Chang', # discovery and PoC
diff --git a/modules/auxiliary/gather/qnap_lfi.rb b/modules/auxiliary/gather/qnap_lfi.rb
@@ -37,7 +37,7 @@ def initialize(info = {})
           ['URL', 'https://infosecwriteups.com/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05'],
           ['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201911-25'],
           ['URL', 'https://github.com/Imanfeng/QNAP-NAS-RCE'],
-          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
+          ['ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW]
         ],
         'DisclosureDate' => '2019-11-25', # Vendor advisory
         'Actions' => [
diff --git a/modules/auxiliary/gather/windows_secrets_dump.rb b/modules/auxiliary/gather/windows_secrets_dump.rb
@@ -68,7 +68,10 @@ module will fallback to the original implementation, which consists
         ],
         'References' => [
           ['URL', 'https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py'],
-          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_006_DCSYNC]
         ],
         'Notes' => {
           'Reliability' => [],
diff --git a/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb b/modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb
@@ -34,7 +34,7 @@ def initialize(info = {})
           'SideEffects' => UNKNOWN_SIDE_EFFECTS
         },
         'References' => [
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ]
       )
     )
diff --git a/modules/post/aix/hashdump.rb b/modules/post/aix/hashdump.rb
@@ -23,7 +23,7 @@ def initialize(info = {})
           'Reliability' => []
         },
         'References' => [
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ]
       )
     )
diff --git a/modules/post/bsd/gather/hashdump.rb b/modules/post/bsd/gather/hashdump.rb
@@ -24,7 +24,7 @@ def initialize(info = {})
           'Reliability' => []
         },
         'References' => [
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ]
       )
     )
diff --git a/modules/post/linux/gather/hashdump.rb b/modules/post/linux/gather/hashdump.rb
@@ -23,7 +23,7 @@ def initialize(info = {})
           'Reliability' => []
         },
         'References' => [
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ]
       )
     )
diff --git a/modules/post/linux/gather/mimipenguin.rb b/modules/post/linux/gather/mimipenguin.rb
@@ -38,7 +38,8 @@ def initialize(info = {})
           [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919' ],
           [ 'URL', 'https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1717490' ],
           [ 'CVE', '2018-20781' ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_007_PROC_FILESYSTEM ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ],
         'DisclosureDate' => '2018-05-23',
         'DefaultTarget' => 0,
diff --git a/modules/post/linux/gather/openvpn_credentials.rb b/modules/post/linux/gather/openvpn_credentials.rb
@@ -28,7 +28,7 @@ def initialize(info = {})
         'SessionTypes' => ['shell', 'meterpreter'],
         'References' => [
           ['URL', 'https://gist.github.com/rvrsh3ll/cc93a0e05e4f7145c9eb#file-openvpnscraper-sh'],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_007_PROC_FILESYSTEM ]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/solaris/gather/hashdump.rb b/modules/post/solaris/gather/hashdump.rb
@@ -25,7 +25,7 @@ def initialize(info = {})
           'Reliability' => []
         },
         'References' => [
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]
         ]
       )
     )
diff --git a/modules/post/windows/gather/cachedump.rb b/modules/post/windows/gather/cachedump.rb
@@ -27,7 +27,7 @@ def initialize(info = {})
         'SessionTypes' => ['meterpreter'],
         'References' => [
           ['URL', 'https://web.archive.org/web/20220407023137/https://lab.mediaservice.net/code/cachedump.rb'],
-          ['ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING]
+          ['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/windows/gather/credentials/domain_hashdump.rb b/modules/post/windows/gather/credentials/domain_hashdump.rb
@@ -42,7 +42,7 @@ def initialize(info = {})
           }
         },
         'References' => [
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]
         ]
       )
     )
diff --git a/modules/post/windows/gather/credentials/sso.rb b/modules/post/windows/gather/credentials/sso.rb
@@ -34,7 +34,10 @@ def initialize(info = {})
               kiwi_exec_cmd
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_001_LSASS_MEMORY ]
+        ]
       )
     )
   end
diff --git a/modules/post/windows/gather/credentials/windows_autologin.rb b/modules/post/windows/gather/credentials/windows_autologin.rb
@@ -28,7 +28,8 @@ def initialize(info = {})
         'SessionTypes' => [ 'meterpreter' ],
         'References' => [
           [ 'URL', 'http://support.microsoft.com/kb/315231' ],
-          [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]
+          [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb b/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb
@@ -27,7 +27,8 @@ def initialize(info = {})
           ['CVE', '2021-36934'],
           ['URL', 'https://github.com/GossiTheDog/HiveNightmare'],
           ['URL', 'https://isc.sans.edu/diary/Summer+of+SAM+-+incorrect+permissions+on+Windows+1011+hives/27652'],
-          ['URL', 'https://github.com/romarroca/SeriousSam']
+          ['URL', 'https://github.com/romarroca/SeriousSam'],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER]
         ],
         'DisclosureDate' => '2021-07-20',
         'Platform' => [ 'win' ],
diff --git a/modules/post/windows/gather/file_from_raw_ntfs.rb b/modules/post/windows/gather/file_from_raw_ntfs.rb
@@ -24,7 +24,8 @@ def initialize(info = {})
         'SessionTypes' => ['meterpreter'],
         'Author' => ['Danil Bazin <danil.bazin[at]hsc.fr>'], # @danilbaz
         'References' => [
-          [ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ]
+          [ 'URL', 'http://www.amazon.com/System-Forensic-Analysis-Brian-Carrier/dp/0321268172/' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]
         ],
         'Notes' => {
           'Stability' => [CRASH_SAFE],
diff --git a/modules/post/windows/gather/hashdump.rb b/modules/post/windows/gather/hashdump.rb
@@ -30,7 +30,10 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER ]
+        ]
       )
     )
 
diff --git a/modules/post/windows/gather/lsa_secrets.rb b/modules/post/windows/gather/lsa_secrets.rb
@@ -26,7 +26,10 @@ def initialize(info = {})
           'Reliability' => [],
           'SideEffects' => []
         },
-        'Author' => ['Rob Bathurst <rob.bathurst[at]foundstone.com>']
+        'Author' => ['Rob Bathurst <rob.bathurst[at]foundstone.com>'],
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS ]
+        ]
       )
     )
     register_options([
diff --git a/modules/post/windows/gather/memory_dump.rb b/modules/post/windows/gather/memory_dump.rb
@@ -45,7 +45,10 @@ def initialize(info = {})
               stdapi_sys_process_getpid
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_001_LSASS_MEMORY ]
+        ]
       )
     )
     register_options([
diff --git a/modules/post/windows/gather/ntds_grabber.rb b/modules/post/windows/gather/ntds_grabber.rb
@@ -21,7 +21,9 @@ def initialize(info = {})
         },
         'License' => MSF_LICENSE,
         'Author' => ['Koen Riepe (koen.riepe@fox-it.com)'],
-        'References' => [''],
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS ]
+        ],
         'Platform' => [ 'win' ],
         'Arch' => [ 'x86', 'x64' ],
         'SessionTypes' => [ 'meterpreter' ],
diff --git a/modules/post/windows/gather/smart_hashdump.rb b/modules/post/windows/gather/smart_hashdump.rb
@@ -40,7 +40,10 @@ def initialize(info = {})
               stdapi_sys_process_getpid
             ]
           }
-        }
+        },
+        'References' => [
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER ]
+        ]
       )
     )
     register_options(
diff --git a/modules/post/windows/manage/kerberos_tickets.rb b/modules/post/windows/manage/kerberos_tickets.rb
@@ -50,7 +50,8 @@ def initialize(info = {})
         ],
         'References' => [
           [ 'URL', 'https://github.com/GhostPack/Rubeus' ],
-          [ 'URL', 'https://github.com/wavvs/nanorobeus' ]
+          [ 'URL', 'https://github.com/wavvs/nanorobeus' ],
+          [ 'ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS ]
         ],
         'Platform' => ['win'],
         'SessionTypes' => %w[meterpreter],

Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ def initialize(info = {})`
`35`	`35`	`[ 'URL', 'https://www.rapid7.com/blog/post/2024/05/30/etr-cve-2024-24919-check-point-security-gateway-information-disclosure/' ],`
`36`	`36`	`# Publication of first proof-of-concept exploit`
`37`	`37`	`[ 'URL', 'https://labs.watchtowr.com/check-point-wrong-check-point-cve-2024-24919/' ],`
`38`		`- [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]`
	`38`	`+ [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]`
`39`	`39`	`]`
`40`	`40`	`)`
`41`	`41`	`)`
Original file line number	Diff line number	Diff line change
`@@ -34,7 +34,7 @@ def initialize(info = {})`
`34`	`34`	`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
`35`	`35`	`},`
`36`	`36`	`'References' => [`
`37`		`- [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]`
	`37`	`+ [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]`
`38`	`38`	`]`
`39`	`39`	`)`
`40`	`40`	`)`
Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ def initialize(info = {})`
`23`	`23`	`'Reliability' => []`
`24`	`24`	`},`
`25`	`25`	`'References' => [`
`26`		`- [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]`
	`26`	`+ [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]`
`27`	`27`	`]`
`28`	`28`	`)`
`29`	`29`	`)`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ def initialize(info = {})`
`24`	`24`	`'Reliability' => []`
`25`	`25`	`},`
`26`	`26`	`'References' => [`
`27`		`- [ 'ATT&CK', Mitre::Attack::Technique::T1003_OS_CREDENTIAL_DUMPING ]`
	`27`	`+ [ 'ATT&CK', Mitre::Attack::Technique::T1003_008_ETC_PASSWD_AND_ETC_SHADOW ]`
`28`	`28`	`]`
`29`	`29`	`)`
`30`	`30`	`)`