From e9e93b3907f3139b2bfa2eb7650c6eb3156b458b Mon Sep 17 00:00:00 2001
From: Jeff Ong <ongweixian@gmail.com>
Date: Mon, 18 Nov 2019 23:43:47 +0800
Subject: [PATCH] T1208 kerberoasting with invoke kerberoast (#548)

* Add test for T1208 that does Kerberoasting

Kerberoasting with Invoke-Kerberoast

* Rename atomics/T1208 to atomic/T1208/T1208.yaml

* Rename atomic/T1208/T1208.yaml to atomics/T1208/T1208.yaml

* Update T1208.yaml

* Update T1208.yaml
---
 atomics/T1208/T1208.yaml | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 atomics/T1208/T1208.yaml

diff --git a/atomics/T1208/T1208.yaml b/atomics/T1208/T1208.yaml
new file mode 100644
index 00000000..0ab00dec
--- /dev/null
+++ b/atomics/T1208/T1208.yaml
@@ -0,0 +1,22 @@
+---
+attack_technique: T1208
+display_name: Kerberoasting
+
+atomic_tests:
+- name: Request for service tickets
+  description: |
+    This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
+    
+    The following are further sources and credits for this attack:
+    [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/)
+    [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
+  
+  supported_platforms:
+    - windows
+
+  executor:
+    name: powershell
+    elevation_required: false  
+    command: | 
+      Import-Module .\Invoke-Kerberoast.ps1
+      Invoke-Kerberoast | fl