Generate docs from job=validate_atomics_generate_docs branch=master

2019-11-18 15:44:19 +00:00
parent e9e93b3907
commit 08fddb3940
7 changed files with 130 additions and 5 deletions
@@ -0,0 +1,36 @@
+# T1208 - Kerberoasting
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1208)
+<blockquote>Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)
+
+Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). (Citation: Empire InvokeKerberoast Oct 2016) (Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials. (Citation: AdSecurity Cracking Kerberos Dec 2015) (Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)
+
+This same attack could be executed using service tickets captured from network traffic. (Citation: AdSecurity Cracking Kerberos Dec 2015)
+
+Cracked hashes may enable Persistence, Privilege Escalation, and  Lateral Movement via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). (Citation: SANS Attacking Kerberos Nov 2014)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Request for service tickets](#atomic-test-1---request-for-service-tickets)
+
+
+<br/>
+
+## Atomic Test #1 - Request for service tickets
+This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+
+The following are further sources and credits for this attack:
+[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
+[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`! 
+```
+Import-Module .\Invoke-Kerberoast.ps1
+Invoke-Kerberoast | fl
+```
+
+
+
+<br/>
@@ -654,7 +654,8 @@
 - [T1141 Input Prompt](./T1141/T1141.md)
  - Atomic Test #1: AppleScript - Prompt User for Password [macos]
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1208 Kerberoasting](./T1208/T1208.md)
+  - Atomic Test #1: Request for service tickets [windows]
 - [T1142 Keychain](./T1142/T1142.md)
  - Atomic Test #1: Keychain [macos]
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -18961,6 +18961,93 @@ credential-access:
          write-warning to allow message to show on console as echo and other similar
          commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning
          $cred.GetNetworkCredential().Password"
+  T1208:
+    technique:
+      x_mitre_data_sources:
+      - Windows event logs
+      x_mitre_permissions_required:
+      - User
+      name: Kerberoasting
+      description: |-
+        Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)
+
+        Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). (Citation: Empire InvokeKerberoast Oct 2016) (Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials. (Citation: AdSecurity Cracking Kerberos Dec 2015) (Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)
+
+        This same attack could be executed using service tickets captured from network traffic. (Citation: AdSecurity Cracking Kerberos Dec 2015)
+
+        Cracked hashes may enable Persistence, Privilege Escalation, and  Lateral Movement via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). (Citation: SANS Attacking Kerberos Nov 2014)
+      id: attack-pattern--b39d03cb-7b98-41c4-a878-c40c1a913dc0
+      x_mitre_platforms:
+      - Windows
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      x_mitre_system_requirements:
+      - Valid domain account or the ability to sniff traffic within a domain.
+      type: attack-pattern
+      x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos
+        TGS service ticket requests. Particularly investigate irregular patterns of
+        activity (ex: accounts making numerous requests, Event ID 4769, within a small
+        time frame, especially if they also request RC4 encryption [Type 0x17]). (Citation:
+        Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking
+        Kerberos Dec 2015)'
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_contributors:
+      - Praetorian
+      created: '2018-04-18T17:59:24.739Z'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: credential-access
+      external_references:
+      - external_id: T1208
+        source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1208
+      - source_name: Microsoft Detecting Kerberoasting Feb 2018
+        description: Bani, M. (2018, February 23). Detecting Kerberoasting activity
+          using Azure Security Center. Retrieved March 23, 2018.
+        url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
+      - source_name: Microsoft SPN
+        description: Microsoft. (n.d.). Service Principal Names. Retrieved March 22,
+          2018.
+        url: https://msdn.microsoft.com/library/ms677949.aspx
+      - source_name: Microsoft SetSPN
+        description: Microsoft. (2010, April 13). Service Principal Names (SPNs) SetSPN
+          Syntax (Setspn.exe). Retrieved March 22, 2018.
+        url: https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
+      - source_name: SANS Attacking Kerberos Nov 2014
+        description: Medin, T. (2014, November). Attacking Kerberos - Kicking the
+          Guard Dog of Hades. Retrieved March 22, 2018.
+      - source_name: Harmj0y Kerberoast Nov 2016
+        description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz.
+          Retrieved March 23, 2018.
+        url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
+      - source_name: Empire InvokeKerberoast Oct 2016
+        description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved
+          March 22, 2018.
+        url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+      - source_name: AdSecurity Cracking Kerberos Dec 2015
+        description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets
+          Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory
+          Domain. Retrieved March 22, 2018.
+        url: https://adsecurity.org/?p=2293
+      modified: '2019-07-18T15:18:23.401Z'
+      identifier: T1208
+    atomic_tests:
+    - name: Request for service tickets
+      description: |
+        This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+
+        The following are further sources and credits for this attack:
+        [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
+        [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          Import-Module .\Invoke-Kerberoast.ps1
+          Invoke-Kerberoast | fl
  T1142:
    technique:
      x_mitre_data_sources:
@@ -14,7 +14,7 @@
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](./T1042/T1042.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | [Input Capture](./T1056/T1056.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [InstallUtil](./T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [File System Permissions Weakness](./T1044/T1044.md) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Launchctl](./T1152/T1152.md) | [Create Account](./T1136/T1136.md) | [Hooking](./T1179/T1179.md) | [Control Panel Items](./T1196/T1196.md) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Launchctl](./T1152/T1152.md) | [Create Account](./T1136/T1136.md) | [Hooking](./T1179/T1179.md) | [Control Panel Items](./T1196/T1196.md) | [Kerberoasting](./T1208/T1208.md) | [Process Discovery](./T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Local Job Scheduling](./T1168/T1168.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | [Keychain](./T1142/T1142.md) | [Query Registry](./T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](./T1086/T1086.md) | Emond [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote File Copy](./T1105/T1105.md) |
@@ -460,7 +460,8 @@
  - Atomic Test #1: Input Capture [windows]
 - [T1141 Input Prompt](./T1141/T1141.md)
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1208 Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1208 Kerberoasting](./T1208/T1208.md)
+  - Atomic Test #1: Request for service tickets [windows]
 - T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1040 Network Sniffing](./T1040/T1040.md)
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
@@ -12,7 +12,7 @@
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](./T1042/T1042.md) | [File System Permissions Weakness](./T1044/T1044.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Control Panel Items](./T1196/T1196.md) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Control Panel Items](./T1196/T1196.md) | [Kerberoasting](./T1208/T1208.md) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Mshta](./T1170/T1170.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |