From c8aebb9a41e3160b7642896f995c99bfda849505 Mon Sep 17 00:00:00 2001
From: Corellios <42844128+Corellios@users.noreply.github.com>
Date: Fri, 10 Sep 2021 17:56:00 +0200
Subject: [PATCH] Add SharpHound LocalAdmin attack (#1625)

---
 atomics/T1069.001/T1069.001.yaml | 38 +++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/atomics/T1069.001/T1069.001.yaml b/atomics/T1069.001/T1069.001.yaml
index 1a050f98..a46defee 100644
--- a/atomics/T1069.001/T1069.001.yaml
+++ b/atomics/T1069.001/T1069.001.yaml
@@ -37,4 +37,40 @@ atomic_tests:
     command: |
       get-localgroup
       Get-LocalGroupMember -Name "Administrators"
-    name: powershell
\ No newline at end of file
+    name: powershell
+- name: SharpHound3 - LocalAdmin
+  auto_generated_guid: e03ada14-0980-4107-aff1-7783b2b59bb1
+  description: |
+    This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR)
+  supported_platforms:
+  - windows
+  input_arguments:
+    domain:
+      description: FQDN of the targeted domain
+      type: string
+      default: DOMAIN.CORP
+    sharphound_path:
+      description: SharpHound Windows executable
+      type: path
+      default: '$env:TEMP\SharpHound.exe'
+    output_path:
+      description: Output for SharpHound
+      type: path
+      default: '$env:TEMP\SharpHound\'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      SharpHound binary must exist on disk and at specified location (#{sharphound_path}).
+      And the computer must be domain joined (implicit authentication).
+    prereq_command: |
+      if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      New-Item -Path "#{output_path}" -ItemType Directory > $null
+      & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
+    cleanup_command: |
+      Remove-Item -Recurse #{output_path}