Add SharpHound LocalAdmin attack (#1625)

2021-09-10 17:56:00 +02:00
parent 895016b6bd
commit c8aebb9a41
1 changed files with 37 additions and 1 deletions
@@ -37,4 +37,40 @@ atomic_tests:
    command: |
      get-localgroup
      Get-LocalGroupMember -Name "Administrators"
-    name: powershell
+    name: powershell
+- name: SharpHound3 - LocalAdmin
+  auto_generated_guid: e03ada14-0980-4107-aff1-7783b2b59bb1
+  description: |
+    This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
+  supported_platforms:
+  - windows
+  input_arguments:
+    domain:
+      description: FQDN of the targeted domain
+      type: string
+      default: DOMAIN.CORP
+    sharphound_path:
+      description: SharpHound Windows executable
+      type: path
+      default: '$env:TEMP\SharpHound.exe'
+    output_path:
+      description: Output for SharpHound
+      type: path
+      default: '$env:TEMP\SharpHound\'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      SharpHound binary must exist on disk and at specified location (#{sharphound_path}).
+      And the computer must be domain joined (implicit authentication).
+    prereq_command: |
+      if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      New-Item -Path "#{output_path}" -ItemType Directory > $null
+      & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
+    cleanup_command: |
+      Remove-Item -Recurse #{output_path}