Add MITRE ATT&CK techniques to Kerberos and unconstrained delegation modules

modules/auxiliary/admin/kerberos/forge_ticket.rb

@@ -27,7 +27,10 @@ def initialize(info = {})
           'smashery' # Enhancements
         ],
         'References' => [
-          %w[URL https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it]
+          ['URL', 'https://www.slideshare.net/gentilkiwi/abusing-microsoft-kerberos-sorry-you-guys-dont-get-it'],
+          ['ATT&CK', Mitre::Attack::Technique::T1558_001_GOLDEN_TICKET],
+          ['ATT&CK', Mitre::Attack::Technique::T1558_002_SILVER_TICKET],
+          ['ATT&CK', Mitre::Attack::Technique::T1134_005_SID_HISTORY_INJECTION]
         ],
         'License' => MSF_LICENSE,
         'Notes' => {

modules/auxiliary/admin/kerberos/get_ticket.rb

@@ -39,7 +39,11 @@ def initialize(info = {})
           [ 'GET_HASH', { 'Description' => 'Request a TGS to recover the NTLM hash' } ]
         ],
         'DefaultAction' => 'GET_TGT',
-        'AKA' => ['PKINIT']
+        'AKA' => ['PKINIT'],
+        'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1550_003_PASS_THE_TICKET],
+          ['ATT&CK', Mitre::Attack::Technique::T1550_002_PASS_THE_HASH]
+        ]
       )
     )
 

modules/auxiliary/admin/kerberos/ms14_068_kerberos_checksum.rb

@@ -32,7 +32,9 @@ def initialize(info = {})
           ['URL', 'http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx'],
           ['URL', 'https://labs.mwrinfosecurity.com/blog/2014/12/16/digging-into-ms14-068-exploitation-and-defence/'],
           ['URL', 'http://web.archive.org/web/20180107213459/https://github.com/bidord/pykek'],
-          ['URL', 'https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit']
+          ['URL', 'https://www.rapid7.com/blog/post/2014/12/25/12-days-of-haxmas-ms14-068-now-in-metasploit'],
+          ['ATT&CK', Mitre::Attack::Technique::T1068_EXPLOITATION_FOR_PRIVILEGE_ESCALATION],
+          ['ATT&CK', Mitre::Attack::Technique::T1558_001_GOLDEN_TICKET]
         ],
         'License' => MSF_LICENSE,
         'DisclosureDate' => '2014-11-18',

modules/auxiliary/gather/kerberos_enumusers.rb

@@ -25,7 +25,9 @@ def initialize(info = {})
           'sjanusz-r7' # Enhancements
         ],
         'References' => [
-          ['URL', 'https://nmap.org/nsedoc/scripts/krb5-enum-users.html']
+          ['URL', 'https://nmap.org/nsedoc/scripts/krb5-enum-users.html'],
+          ['ATT&CK', Mitre::Attack::Technique::T1087_002_DOMAIN_ACCOUNT],
+          ['ATT&CK', Mitre::Attack::Technique::T1589_001_CREDENTIALS]
         ],
         'License' => MSF_LICENSE,
         'Notes' => {

modules/auxiliary/gather/ldap_query.rb

@@ -42,6 +42,10 @@ def initialize(info = {})
           'Grant Willcox', # Original module author
         ],
         'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1069_002_DOMAIN_GROUPS],
+          ['ATT&CK', Mitre::Attack::Technique::T1087_002_DOMAIN_ACCOUNT],
+          ['ATT&CK', Mitre::Attack::Technique::T1018_REMOTE_SYSTEM_DISCOVERY],
+          ['ATT&CK', Mitre::Attack::Technique::T1201_PASSWORD_POLICY_DISCOVERY]
         ],
         'DisclosureDate' => '2022-05-19',
         'License' => MSF_LICENSE,

modules/auxiliary/gather/windows_secrets_dump.rb

@@ -71,7 +71,9 @@ module will fallback to the original implementation, which consists
           ['ATT&CK', Mitre::Attack::Technique::T1003_002_SECURITY_ACCOUNT_MANAGER],
           ['ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS],
           ['ATT&CK', Mitre::Attack::Technique::T1003_005_CACHED_DOMAIN_CREDENTIALS],
-          ['ATT&CK', Mitre::Attack::Technique::T1003_006_DCSYNC]
+          ['ATT&CK', Mitre::Attack::Technique::T1003_006_DCSYNC],
+          ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_003_NTDS]
         ],
         'Notes' => {
           'Reliability' => [],

modules/auxiliary/scanner/dcerpc/petitpotam.rb

@@ -61,7 +61,9 @@ def initialize
       'References' => [
         [ 'CVE', '2021-36942' ],
         [ 'URL', 'https://github.com/topotam/PetitPotam' ],
-        [ 'URL', 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451' ]
+        [ 'URL', 'https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/403c7ae0-1a3a-4e96-8efc-54e79a2cc451' ],
+        ['ATT&CK', Mitre::Attack::Technique::T1187_FORCED_AUTHENTICATION],
+        ['ATT&CK', Mitre::Attack::Technique::T1212_EXPLOITATION_FOR_CREDENTIAL_ACCESS]
       ],
       'License' => MSF_LICENSE
     )

modules/auxiliary/scanner/kerberos/kerberos_login.rb

@@ -27,6 +27,10 @@ def initialize(info = {})
           'alanfoster',
         ],
         'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1110_001_PASSWORD_GUESSING],
+          ['ATT&CK', Mitre::Attack::Technique::T1110_003_PASSWORD_SPRAYING],
+          ['ATT&CK', Mitre::Attack::Technique::T1589_001_CREDENTIALS],
+          ['ATT&CK', Mitre::Attack::Technique::T1087_002_DOMAIN_ACCOUNT]
         ],
         'License' => MSF_LICENSE,
         'Notes' => {

modules/exploits/windows/smb/psexec.rb

@@ -52,14 +52,13 @@ def initialize(info = {})
           [ 'URL', 'http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx' ],
           [ 'URL', 'https://www.optiv.com/blog/owning-computers-without-shell-access' ],
           [ 'URL', 'http://sourceforge.net/projects/smbexec/' ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1569_002_SERVICE_EXECUTION ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1059_COMMAND_AND_SCRIPTING_INTERPRETER ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1059_001_POWERSHELL ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1059_003_WINDOWS_COMMAND_SHELL ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1077_WINDOWS_ADMIN_SHARES ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1078_VALID_ACCOUNTS ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1105_INGRESS_TOOL_TRANSFER ]
+          ['ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES],
+          ['ATT&CK', Mitre::Attack::Technique::T1569_002_SERVICE_EXECUTION],
+          ['ATT&CK', Mitre::Attack::Technique::T1059_001_POWERSHELL],
+          ['ATT&CK', Mitre::Attack::Technique::T1059_003_WINDOWS_COMMAND_SHELL],
+          ['ATT&CK', Mitre::Attack::Technique::T1078_VALID_ACCOUNTS],
+          ['ATT&CK', Mitre::Attack::Technique::T1105_INGRESS_TOOL_TRANSFER],
+          ['ATT&CK', Mitre::Attack::Technique::T1550_002_PASS_THE_HASH]
         ],
         'Payload' => {
           'Space' => 3072,

modules/post/multi/gather/unix_kerberos_tickets.rb

@@ -47,7 +47,11 @@ def initialize(info = {})
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [IOC_IN_LOGS],
           'Reliability' => []
-        }
+        },
+        'References' => [
+          ['ATT&CK', Mitre::Attack::Technique::T1558_STEAL_OR_FORGE_KERBEROS_TICKETS],
+          ['ATT&CK', Mitre::Attack::Technique::T1005_DATA_FROM_LOCAL_SYSTEM]
+        ]
       )
     )
     register_options([

modules/post/windows/manage/kerberos_tickets.rb

@@ -51,7 +51,9 @@ def initialize(info = {})
         'References' => [
           [ 'URL', 'https://github.com/GhostPack/Rubeus' ],
           [ 'URL', 'https://github.com/wavvs/nanorobeus' ],
-          [ 'ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS ]
+          ['ATT&CK', Mitre::Attack::Technique::T1558_STEAL_OR_FORGE_KERBEROS_TICKETS],
+          ['ATT&CK', Mitre::Attack::Technique::T1003_004_LSA_SECRETS],
+          ['ATT&CK', Mitre::Attack::Technique::T1005_DATA_FROM_LOCAL_SYSTEM]
         ],
         'Platform' => ['win'],
         'SessionTypes' => %w[meterpreter],