From 2bb4d6bb67cef311adcd5c8faf5238f0bc515a5a Mon Sep 17 00:00:00 2001
From: Michel de CREVOISIER <52909656+mdecrevoisier@users.noreply.github.com>
Date: Mon, 17 Jan 2022 22:32:59 +0100
Subject: [PATCH] readme + kerberos

---
 README.md                                       |   8 +++++---
 ...beros proxiable ticket (CVE-2021-42287).evtx | Bin 0 -> 69632 bytes
 2 files changed, 5 insertions(+), 3 deletions(-)
 create mode 100644 TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos proxiable ticket (CVE-2021-42287).evtx

diff --git a/README.md b/README.md
index 3df94d7..ca50040 100644
--- a/README.md
+++ b/README.md
@@ -53,6 +53,8 @@ TA0002-Execution | T1059.001-Command and Scripting Interpreter: PowerShell | Enc
 TA0002-Execution | T1059.001-Command and Scripting Interpreter: PowerShell | Interactive PipeShell over SMB named pipe | 800/4103/4104 | 
 TA0002-Execution | T1059.003-Windows Command Shell | Encoded PowerShell payload deployed via process execution | 4688 | 
 TA0002-Execution | T1059.003-Windows Command Shell | SQL Server payload injectection for reverse shell (MSF) | 4688 | 
+TA0002-Execution | T1204-User execution | Edge abuse for payload download via console | 4688 | 
+TA0002-Execution | T1204-User execution | Edge/Chrome headless feature abuse for payload download | 4688 | 
 TA0002-Execution | T1569.002-Service Execution | PSexec installation detected | 4688 | 
 TA0002-Execution | T1569.002-Service Execution | Service massive failures (native) | 7000/7009 | Tchopper
 TA0002-Execution | T1569.002-Service Execution | Service massive installation (native) | 7045/4697 | Tchopper
@@ -87,8 +89,8 @@ TA0003-Persistence | T1098.xxx-Account manipulation | User account with password
 TA0003-Persistence | T1098.xxx-Account manipulation | User password change using current hash password - ChangeNTLM | 4723 | Mimikatz
 TA0003-Persistence | T1098.xxx-Account manipulation | User password change without previous password known - SetNTLM | 4724 | Mimikatz
 TA0003-Persistence | T1098.xxx-Account Manipulation | User performing massive group membership changes on multiple differents groups | 4728,4756 | 
+TA0003-Persistence | T1098-Account Manipulation | Disabled guest or builtin account activated | 4722 | 
 TA0003-Persistence | T1098-Account Manipulation | SPN added to an account (command) | 4688/1 | 
-TA0003-Persistence | T1136.001-Create account-Local account | Disbled Guest (and support_388945a0) accounts enabled | 4722 | 
 TA0003-Persistence | T1136.001-Create account-Local account | Local user account created on a single host | 4720 | 
 TA0003-Persistence | T1136.001-Create account-Local account | SQL Server: disabled SA account enabled | 33205 | 
 TA0003-Persistence | T1136.002-Create account-Domain account | Computer account created and deleted in a short period of time | 4741/4743 | 
@@ -213,8 +215,8 @@ TA0006-Credential Access | T1110.xxx-Brut force | Kerberos brutforce with not ex
 TA0006-Credential Access | T1110.xxx-Brut force | Login failure from a single source with different non existing accounts | 33205 | 
 TA0006-Credential Access | T1552.004-Unsecured Credentials-Private Keys | Unknown application accessing certificate private key detected | 70(CAPI2) | Mimikatz
 TA0006-Credential Access | T1555.003-Credentials from Password Stores: Credentials from Web Browsers | User browser credentials dump via network share | 5145 | DonPapi, Lazagne
+TA0006-Credential Access | T1555.004-Windows Credential Manager | Credentials (protected by DPAPI) dump via network share | 5145 | DonPapi, Lazagne
 TA0006-Credential Access | T1555-Credentials from Password Stores | Suspicious Active Directory DPAPI attributes accessed | 4662 | 
-TA0006-Credential Access | T1555-Credentials from Password Stores | User application credentials dump via network share  | 5145 | DonPapi, Lazagne
 TA0006-Credential Access | T1555-Credentials from Password Stores | User files dump via network share | 5145 | DonPapi, Lazagne
 TA0006-Credential Access | T1557.001-MiM:LLMNR/NBT-NS Poisoning and SMB Relay | Discovery for print spooler bug abuse via named pipe | 5145 | 
 TA0006-Credential Access | T1558.001-Golden Ticket | Kerberos TGS ticket request related to a potential Golden ticket | 4769 | Golden ticket
@@ -223,6 +225,7 @@ TA0006-Credential Access | T1558.001-Golden Ticket | Success login impersonation
 TA0006-Credential Access | T1558.003-Kerberoasting | KerberOAST ticket (TGS) request detected (low encryption) | 4769 | Kerberoast
 TA0006-Credential Access | T1558.004-Steal or Forge Kerberos Tickets: AS-REP Roasting | Kerberos AS-REP Roasting ticket request detected | 4768 | AS-REP Roasting
 TA0006-Credential Access | T1558-Steal or Forge Kerberos Tickets | Kerberos ticket without a trailing $  | 4768-4769 | CVE-2021-42278/42287 & SAM-the-admin
+TA0006-Credential Access | T1558-Steal or Forge Kerberos Tickets | Suspicious Kerberos proxiable ticket | 4768 | CVE-2021-42278/42287 & SAM-the-admin
 TA0007-Discovery | T1016-System Network Configuration Discovery | Firewall configuration enumerated (command) | 4688 | 
 TA0007-Discovery | T1016-System Network Configuration Discovery | Firewall configuration enumerated (PowerShell) | 800/4103/4104 | 
 TA0007-Discovery | T1016-System Network Configuration Discovery | Tentative of zone transfer from a non DNS server detected | 6004(DNSserver) | 
@@ -253,7 +256,6 @@ TA0008-Lateral Movement | T1021.001-Remote Desktop Protocol | Denied RDP login w
 TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | Admin share accessed via SMB (basic) | 5140/5145 | 
 TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | Impacket WMIexec execution via SMB admin share | 5145 | WMIexec
 TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | Lateral movement by mounting a network share - net use (command) | 4688/4648 | 
-TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | Multiple failed attempt to network share | 5140/5145 | 
 TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | New file share created on a host | 5142 | 
 TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | Psexec remote execution via SMB | 5145 | 
 TA0008-Lateral Movement | T1021.002-SMB Windows Admin Shares | Remote service creation over SMB | 5145 | 
diff --git a/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos proxiable ticket (CVE-2021-42287).evtx b/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos proxiable ticket (CVE-2021-42287).evtx
new file mode 100644
index 0000000000000000000000000000000000000000..16d7df8720c756b7b8b187ed6bbd71f1293f1a16
GIT binary patch
literal 69632
zcmeI5du$xV9mjunzB|8ij`QLX5^&xQD2d;8oI+v}JBjkHodhaS>&H1Uacr=ikd!|N
zg{l&Nw2gpPrBp(t2vurPRjDeZMLb$c9~9amhzd#tQmaO)P@xZ?54e86v%BZp+r8Vf
zb52b2+w*!~voo{5nVtFUcV>6m2m3n)1{0Dw71=vZU>O!{RfaO1ob&eGV;{bC&Yq|T
zY5}!?T0kwJ7ElYQ1=Ip+0kwcyKrNsaPzwZFpnb4^<H4ar;ym4l?K3jBPhkH$<@i@2
z@~Pj?-fugb^n(6>Yh~+u=^iYMiJUDK`Fj-0Ncs`T4<#bkI--R8P|mHF0?v5=VRBlC
zFgd+%yMMyo&wXFVzW$8(tjG2Twz1}CgmKvRi|2mZUf%(?9q{v1hCg(ZIXw#-q)*G8
zL`mOSp!KV-M!J?tD*Z<<d-~y>@0<?J425JyXyILzKXgLpdfm25_OAHzgMVth@3p5M
z!j;ff+bsDqR(XM(PR)o)yBw8-49OU_zkoS*i+%9NGox}$4$B}8j^aQx)F=nxY)o#I
zR#}7JsPtk_0&cpoz8cE`>=}_^Yz<34T&~9UF!ryJ+i`3N%Q~sSuK{Z{(t`hqRPdv&
zt#Bxrd=qKqq}y;;OgiN_d>%6)Lg{KtCT~Q%oD_ZcjuP2zLO+VI`rv8=N1HHrIGJ(V
z0}<JY$R5T)+#MAXirrx6hn4dpvRRIpGjV99%q(gvk{xjNS=+@wyNlC|wN*CZ*b2-s
zW;uGZ^7S&=124K^vH@KFfQbT4R}qm|xS~j6kx;oT#ttW^UshTy`)p?eu+$Kag)7P>
z62U!pB{rNa-uF^ew!<OQYS1_mItt4IY%H+zY5N@!=`v|?$T$fzz>rj7gSP;u$FGdZ
zE+in6g(hNfA^H@RrPy%poLgQlk!?799O*U;JNCiubQ+a;5tw~9Hcr|;uKQv+0v#|m
z-3X@%M1V=u2RFt%yo;EpK5<8xD+QgCV4j%FDhib$w~Uu19YygpYkv|RGRlmJW%+PL
znUpaupT|i~f$+`0mCHusjPV#WF>%a#6Wn!l*mro@yJgY_AIA`J=9V#BspW4)vCNFI
zP++n*K0iwswB-}8Da%Q5W|w60Fv4&OktcpoiVHYqB7VdKWF_ww#sjG-j7!<+QajJ~
z!r>@>b}UMyB*vnZN&ES=C9v>8+qRAYDoUlKC{$^(6ANQbcO#2#gv)MZq#+Y;CR(M0
zBB5l`1Pq5vxOGD%#!!cm6&N||UI|A-vk}TLeq*@SUa3Wr@J8-O#Fzl9jU|SJcE29s
zIR)~=t4olyba4ddTjmtG3NB(!+1$T9CVP!HBhEF>kU2$>idnKKBD3KX+0e|$wNSCG
zD=LwBQX;c(6xkhXoJ*w4xHCKPuLE0^G81!18Y7Far>Ny&dWfm&#M!Z@Oc~jQ9QYYr
zdG&Kwp;pAS1MzehR;y$`_6_06hmq|^WtHceRw4b5;5e_4E)U4EuiVphtn2=*kDj`2
zT~YN<;+a;kisq^<$L@dDt|+)ZtFri}`S;h}u<)ZZC!3JZ=n5%xHC9=ta@zDcW*?_$
z-ej_JH}<pCYsZpxEOXJl!x5B3yybXw8Ri&EyJ)Dw6a^!QV*&>q(>tYKI1Ym|8Jlgt
zR*s)p={j>0tib}F*E@bT;>)vn7GrY7_}QhdvpaEKpM>LKnM3!hZ1*N>Sn(`3Rvt08
zA#Z~5Fp8`&uCdQqI35NI5@uQ6x;)1TC1QnAYoD=X{ERqaMYo5HHCO^N1$jq~B6d-k
z%h=I9uV&u(d8~A3+A*X%UB)bz>ur||$+q`gR|xI!nYrtDT1Z`HD*<1MEnj@C!740a
z^4S>f<neP#a#(yTLTQ7Y`^>p4M#Aw@%f0V4(fw{*{Rplr9LMd%tFO1O$(4sT8at2S
zmZh&p%+`1cm0M@}<{{@yE2Rct!$G9&5#*&F<4ZU`Bad)d?pf#Dir6v_GRAS786n+b
z2Kr!LAahd7h|EPnVa;J2TaKAU28$SHc9(LyP>6IOrQ1;`q9)`NWhU77TJ?XU{a^a(
z@X~!hN}}*MggEpd1_v-_bN3ztkrS*UO|e!7SZXz8D9h1Sl&Li+N9&{>|7%mrS|HI{
zX~wSw=b@e<=aKg+QEuVSOs^d6e8kIpg(^FXLyHhfdfEAOgB6}rc5c3qWhYa+8Ywsz
zbFS20isPB7y#+ar`Hy$h4pWv5A{~cOJNFyACy)-kuzY$xSPkB4Lypas&M!|OKUB(H
z8<>Jjs$BV@0Y{lDnh>j6X~c3Z&Ny?jA!70Y>xgOuo2zcvj1$~-!W!&}xyd*0+F_f=
zH<l6}-zHFFT<h`ClsB32%UO%GdHgW7SEe6<H495|x2+7YX8IFQ+q8RpVY%+HQC>9=
zOHy}?Oih^?qb#*jr|0Z-eleLuO_jIB18T3lQ$I(ImbZ<3Yq`Ad52yahS@Y$6e>lDc
z)`k;~Ur-GRZU`(h{c1=)@{ORjo=BPa)&$DL$<~oIC>3jvtvOX;z6^5+Gbb*&&EmjJ
zE6PxVVvTb#*8hrH)gZZKDkLu!r4*89u$rli+zAh27hVymLe%_~5Z<Bw3dnLC>2Q}I
zM)~kpJa~utDIKO9%2VN(4?l7$8<)UARz+hj4rWm@n6^0-3~C_(%Ebma$)#AB%M4a3
zj7{@ZC=MgcT*}0D9PbEFBqpjv?1i7%6bKS#M^5D-x8lI$&8akOfP(@k40Z6vUs<>m
zM`GtkQCJgQguv3N_`ZAou=2XIr$eOTO(;)peCJFYPUL(l3X-WJfDj!OK?yOLWNGN;
zC?!Nb<0~QJ>CaOCqoEj74Idq3!UXnlCq!x}K~L3wgh-v)Qq)H9+&U3Xe0`FfSTg}F
zrN%rzn}S)Yu<+x=YU{8F)Up&Oz6}NNRm{qXRtuSOBGjYImM!H(wooZ2qSUZjp61yt
zPmkCwPn9QPH@}hM#5eKmdBcU^#Kn8wc=Y5eXKsGx@+WE^dT!I#uD2g^p(L{5>HH~)
zc`H9`z;;@#oOYd%)vj~SREO38Qcyt@yCSO%CvP>%-HwFz3C1MvE6S#;MXf8!+q!<b
zTFmkz?<;XrQ?Ye+fvCxD<tm`AX19Y)IDY=R8r#YuQVwolb2Hl^7GoLI+SG|&1p7=2
zQw>N7EfiVWm|n@?qBXu$Mdge%ldB~mvt@}i)L_$26_$Q9w8B0vOVU)cBCP*KRkH+a
zqpBI((E0SFG=v8qPk$Yyp%e{W<5A5H#ve=35LL7N7lMXVHPd!gbOPu`VQwDa+^r&1
zgxr*7_x4fMOjR>a&m;CRITzKe)|c(Fk>T$$$S|9`bLo9VMht3MWy6=5mZd3XQLIxn
zQ^iaf(e#2;Mudbhtc;kmul6dBV)l)<MpKMP#cbb&U_@2S()(bmVy222;Ll>_EImn`
zzHLE@8GG;MtC;26V>cTIW%kZ3q>|QPUMeF6Rblp1(w6ZcC#57o_j~PsmU?q;1B{{l
z&$Ry;vO#`tw0SA%?dLY6D2YniUZo`OJ8+rGj=%1u?TXs2i2Km<u0|zVIQV|y81z6c
z{oY=is&>V~P*M$`tq1Rz)tdj=DCwmPRjII)#QwXSsxbRe(o!Deq?DwTG>Uwnl!Ow;
z`CdT_45GdCVT63%`}b1PADd>nD5*;+Nh!&Bi(h+R`S)4>`1HOi3?;1vCDq|=`x?yM
zS$k#udI~A2-n{RRQZ6ecE#W~<N=ZsdN=ax`OaGdZQqlyzj^w4J>Q`T{cHU)Vi`yQh
zB&8&!BuD*GO5!(i5@3`b!$@nfmQ71~aY`vEsPFn>i;<L)MqmhSaZ@cxDQU9bkn~d0
zcb|OBMM=Arl9ZB^l9ZD8RaECog8YJDKUAbfuu@-EO8V85Qc_Uw?L{^vZB;EvDM_^?
z)siOvrEM=IwZ3qhi;{LJB`GB-B`GDPQxe<RdcaBSpH!cfl72ablvEekd%H@tr19}n
zR7+AVNwuWHX-T(*uX9n-PNgKJB&8&!q;yK^#kdc3m}@~w%~>hw7gI_}LA|&60S!)9
zs+Oc$l4?n+B^6RjI@KOcQ4-&A+o6=Cl%$lTl$1_M3DeTn3qoo@t6R2yNk5-LN~#U)
zz0EOPISnZ#DJ3Z-DJ2z>l774YH!IS6Z*NyhQc6-vQc6mvq;BX)Yte_BUjoS9FX@FT
zrKF(V+Y2p7k}XO}N=ZsdN=b#Jq{amgx+rPAQj$`VQj$_qIwes{ss|tS;(vcuE$L@d
zN=ZSzw>iA6nUs>0l9ZB^k_t&lkF7kIq9nGsEmcZVN>WNvN=m0BYDx8IYfGT)&8{Uq
zKZTT36WDwE3Z*3Ny?r}I-xxs_RZ3DyDkLS%xw|e!N&H^Y5~U=iB&8&!q;yJRpX~(t
zB$1S|e=q5$Q%Xrey|?Gvl$2~nDOQOM&X;06iDy3@$4$p^({bF&PL~RYN6>NHN^*|l
zwmxI5-^vpQpZsXK(=Uly(&7t2NjlcA|ClFXnG<PCCfiWn-|J$xmDuAM38UN|0plpX
zbkmDkZ71H_=ID;$c#(wY&w7tP97f*bPg#aPo$#*@zC^6pw0nG6<>yP>luEsF2r(GL
z_^G$1zL!4=zoIgiF>3bsrDOfVUZePh<MyZ}dE1Di-|aRJ(_=UrW8Tujn>`i|7#Yt0
zJDTN|Z`(Y+)%&G=K4Y@Xm}LC?N3M&*w}@0AGW^;&$NHTib7Zl-#5d$IG=Vi^ltg@V
zF(e!lSkmTB*&&~XX4VKItTQy&WBxZ|UmXas4tG;OS{`>v2Y#K>j&WyJ%XVqQeHNlu
z_H+o<P!IC@0nGkmw4}QhIk9^-&P-xjC9U}N+rL)y0;@p?bzsxgSa+7Sh)WCN#P54r
zQxz6|W42sw9~b3DZG%*GP1Uu@t7~3vTu|-i#zo4FE<(#vFLt388A07ZCfbC$`Y^T!
zFkbyQtA(t3@mdt#Zsy}ar5;vOZiFGbVHxE{<wl?Tqarmr;M8(skKseBy|o$bp8a4)
zemAQDwGPRxdm3?Llg))ySo(1z_nAq#QMpmMQMs{@+<5lDhbg_0t+G|hjmnMI$i0qk
zsd^)7-z*AmwlSdX(E#&)YM@rw235BYPa~=~dY`M#7dO_MFJiQS6`P<M_TtwBa-_yb
zdTg9l+!*v`=%qF`KCaxT+^F2B+*n9%eB{J`T-<n-a-(viawDo-w@R$s$X4(F`*!L&
zD2z>L18y=3V+*#}LTzzl3#f5AwNnT6Z@k3j#!}@*<woU3<;FsCW7&KEPH`jqH(sgS
zsNAUBsN9%<@;Tn?;$rFF*aSB0hT_X_sMO+DkJ_dNa|8DFPqTLFpl__qv$;|GH^LA)
z_LGkNq+>r#cI+o_|HeDJ|CQoKwo@-uZd7hmZd7i(IJvO}yto#GNP6VECw+MPq#o4R
z00puS965dT#+JbMV&>Z17*f4axl#2-)f)?`H@58gAjOT;8y6@yDmN-ODmPx7+{ibn
z6ClMN!;0ME`^|mWYBnr6owzaRy_h*RHy&4RRBlvmRBkLJH$L>8_fy<Rz3~d=M&(B3
zM&-tfl^c7YEcQcL<XbTO&o^V(PED<m-{P4r-{EONoUEw|3%~cN`F$Tw-&1Z>Zd7hm
zZY(4>et*838|N!GDmN-OqPo@hVlKk|jdjo!`@n~d_>my_9(A*M$C?^s4cdmM4>tzA
l7c<LHqsWkQqjIBiqjF;*xv{L|A1S?&?bMemHx`r|{|DOHc7p%_

literal 0
HcmV?d00001