Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -912,6 +912,8 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
+persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
+persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
@@ -1370,6 +1372,7 @@ discovery,T1087.002,Account Discovery: Domain Account,19,Suspicious LAPS Attribu
 discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope,ffbcfd62-15d6-4989-a21a-80bfc8e58bb5,powershell
 discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
 discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
+discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -1398,6 +1401,7 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enu
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
+discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -122,6 +122,8 @@ persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injecti
 persistence,T1136.001,Create Account: Local Account,1,Create a user account on a Linux system,40d8eabd-e394-46f6-8785-b9bfa1d011d2,bash
 persistence,T1136.001,Create Account: Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
+persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
+persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
 persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
@@ -239,6 +241,7 @@ credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2
 credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
 credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
+discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
@@ -246,6 +249,7 @@ discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user
 discovery,T1087.001,Account Discovery: Local Account,5,Show if a user account has ever logged in remotely,0f0b6a29-08c3-44ad-a30b-47fd996b2110,sh
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
+discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
 discovery,T1040,Network Sniffing,9,"Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo",10c710c9-9104-4d5f-8829-5b65391e2a29,bash

atomics/Indexes/Indexes-Markdown/index.md

@@ -1421,6 +1421,8 @@
   - Atomic Test #1: Create a new Windows domain admin user [windows]
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
   - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
+  - Atomic Test #4: Active Directory Create Admin Account [linux]
+  - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1138 Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2173,6 +2175,7 @@
   - Atomic Test #20: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope [windows]
   - Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties [windows]
   - Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
+  - Atomic Test #23: Active Directory Domain Search [linux]
 - T1063 Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
@@ -2205,6 +2208,7 @@
   - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
   - Atomic Test #13: Get-DomainGroup with PowerView [windows]
   - Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
+  - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
   - Atomic Test #1: System Service Discovery [windows]
   - Atomic Test #2: System Service Discovery - net.exe [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -241,7 +241,9 @@
 - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
   - Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
 - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
+  - Atomic Test #4: Active Directory Create Admin Account [linux]
+  - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -564,7 +566,8 @@
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
+  - Atomic Test #23: Active Directory Domain Search [linux]
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
   - Atomic Test #2: View sudoers access [linux, macos]
@@ -574,7 +577,8 @@
   - Atomic Test #6: Enumerate users and groups [linux, macos]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
   - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
-- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
+  - Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
   - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)

atomics/Indexes/Matrices/linux-matrix.md

@@ -5,10 +5,10 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Shell Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemd Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -26,7 +26,7 @@
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Authentication Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  |  | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  |  | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
+|  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |

atomics/Indexes/index.yaml

@@ -62372,6 +62372,115 @@ persistence:
           '
         name: powershell
         elevation_required: false
+    - name: Active Directory Create Admin Account
+      auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
+      description: 'Use Admin Credentials to Create A Domain Admin Account
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: admin@example.test
+        admin_password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available
+
+          '
+        prereq_command: 'which ldapadd && which ldapmodify
+
+          '
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
+    - name: Active Directory Create User Account (Non-elevated)
+      auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
+      description: 'Use Admin Credentials to Create A Normal Account (as means of
+        entry)
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: user@example.test
+        admin_password:
+          description: password of the user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapadd, ldapmodify
+
+          '
+        prereq_command: |
+          which ldapadd
+          which ldapmodify
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
   T1542.002:
     technique:
       x_mitre_platforms:
@@ -96190,6 +96299,52 @@ discovery:
         cleanup_command: 
         name: powershell
         elevation_required: false
+    - name: Active Directory Domain Search
+      auto_generated_guid: '096b6d2a-b63f-4100-8fa0-525da4cd25ca'
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        user:
+          description: username@domain of a user within the ad database
+          type: string
+          default: user@example.test
+        password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo ldapsearch not found
+
+          '
+      executor:
+        elevation_required: false
+        command: 'ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub
+          -a always -z 1000 dn
+
+          '
+        name: sh
   T1063:
     technique:
       x_mitre_platforms:
@@ -96976,6 +97131,50 @@ discovery:
 
           '
         name: command_prompt
+    - name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+      auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: com
+        user:
+          description: username@domain of a user
+          type: string
+          default: user@example.com
+        password:
+          description: password of the user referenced inside user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo missing ldapsearch command; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: "ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b \"CN=Users,DC=#{domain},DC=#{top_level_domain}\" \"(objectClass=group)\"
+          -s sub -a always -z 1000 dn \n"
+        name: sh
   T1007:
     technique:
       modified: '2023-04-03T18:55:18.326Z'

atomics/Indexes/linux-index.yaml

@@ -41641,7 +41641,116 @@ persistence:
       x_mitre_permissions_required:
       - Administrator
       identifier: T1136.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Active Directory Create Admin Account
+      auto_generated_guid: 562aa072-524e-459a-ba2b-91f1afccf5ab
+      description: 'Use Admin Credentials to Create A Domain Admin Account
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: admin@example.test
+        admin_password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available
+
+          '
+        prereq_command: 'which ldapadd && which ldapmodify
+
+          '
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
+    - name: Active Directory Create User Account (Non-elevated)
+      auto_generated_guid: 8c992cb3-a46e-4fd5-b005-b1bab185af31
+      description: 'Use Admin Credentials to Create A Normal Account (as means of
+        entry)
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        admin_user:
+          description: username@domain of a user with admin privileges
+          type: string
+          default: user@example.test
+        admin_password:
+          description: password of the user
+          type: string
+          default: s3CurePssw0rD!
+        domain_controller:
+          description: Name of the domain_controller machine, defined in etc/hosts
+          type: string
+          default: adVM
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapadd, ldapmodify
+
+          '
+        prereq_command: |
+          which ldapadd
+          which ldapmodify
+        get_prereq_command: 'echo ldapadd or ldapmodify not found; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: |
+          echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+          echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+          ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+        cleanup_command: |
+          echo removing Atomic User (temporary user)
+          echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+          ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+          rm deleteuser.ldif
+          rm tempadmin.ldif
+        name: sh
   T1542.002:
     technique:
       x_mitre_platforms:
@@ -63862,7 +63971,53 @@ discovery:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1087.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Active Directory Domain Search
+      auto_generated_guid: '096b6d2a-b63f-4100-8fa0-525da4cd25ca'
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: test
+        user:
+          description: username@domain of a user within the ad database
+          type: string
+          default: user@example.test
+        password:
+          description: password of the user with admin privileges referenced in admin_user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo ldapsearch not found
+
+          '
+      executor:
+        elevation_required: false
+        command: 'ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub
+          -a always -z 1000 dn
+
+          '
+        name: sh
   T1063:
     technique:
       x_mitre_platforms:
@@ -64244,7 +64399,51 @@ discovery:
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       identifier: T1069.002
-    atomic_tests: []
+    atomic_tests:
+    - name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+      auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2
+      description: 'Output information from LDAPSearch. LDAP Password is the admin-user
+        password on Active Directory
+
+        '
+      supported_platforms:
+      - linux
+      input_arguments:
+        domain:
+          description: The domain to be tested
+          type: string
+          default: example
+        top_level_domain:
+          description: The top level domain (.com, .test, .remote, etc... following
+            domain, minus the .)
+          type: string
+          default: com
+        user:
+          description: username@domain of a user
+          type: string
+          default: user@example.com
+        password:
+          description: password of the user referenced inside user
+          type: string
+          default: s3CurePssw0rD!
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'Packages sssd-ad sssd-tools realmd adcli installed and realm
+          available, ldapsearch
+
+          '
+        prereq_command: 'which ldapsearch
+
+          '
+        get_prereq_command: 'echo missing ldapsearch command; exit 1
+
+          '
+      executor:
+        elevation_required: false
+        command: "ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user}
+          -w #{password} -b \"CN=Users,DC=#{domain},DC=#{top_level_domain}\" \"(objectClass=group)\"
+          -s sub -a always -z 1000 dn \n"
+        name: sh
   T1007:
     technique:
       modified: '2023-04-03T18:55:18.326Z'

atomics/T1069.002/T1069.002.md

@@ -34,6 +34,8 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr
 
 - [Atomic Test #14 - Active Directory Enumeration with LDIFDE](#atomic-test-14---active-directory-enumeration-with-ldifde)
 
+- [Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS](#atomic-test-15---active-directory-domain-search-using-ldap---linux-ubuntumacos)
+
 
 <br/>
 
@@ -545,4 +547,52 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #15 - Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
+Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** d58d749c-4450-4975-a9e9-8b1d562755c2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | com|
+| user | username@domain of a user | string | user@example.com|
+| password | password of the user referenced inside user | string | s3CurePssw0rD!|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
+##### Check Prereq Commands:
+```sh
+which ldapsearch
+```
+##### Get Prereq Commands:
+```sh
+echo missing ldapsearch command; exit 1
+```
+
+
+
+
 <br/>

atomics/T1087.002/T1087.002.md

@@ -50,6 +50,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #22 - Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd](#atomic-test-22---suspicious-laps-attributes-query-with-adfind-ms-mcs-admpwd)
 
+- [Atomic Test #23 - Active Directory Domain Search](#atomic-test-23---active-directory-domain-search)
+
 
 <br/>
 
@@ -850,4 +852,52 @@ PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "o
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #23 - Active Directory Domain Search
+Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 096b6d2a-b63f-4100-8fa0-525da4cd25ca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
+| user | username@domain of a user within the ad database | string | user@example.test|
+| password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
+```
+
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
+##### Check Prereq Commands:
+```sh
+which ldapsearch
+```
+##### Get Prereq Commands:
+```sh
+echo ldapsearch not found
+```
+
+
+
+
 <br/>

atomics/T1136.002/T1136.002.md

@@ -12,6 +12,10 @@ Such accounts may be used to establish secondary credentialed access that do not
 
 - [Atomic Test #3 - Create a new Domain Account using PowerShell](#atomic-test-3---create-a-new-domain-account-using-powershell)
 
+- [Atomic Test #4 - Active Directory Create Admin Account](#atomic-test-4---active-directory-create-admin-account)
+
+- [Atomic Test #5 - Active Directory Create User Account (Non-elevated)](#atomic-test-5---active-directory-create-user-account-non-elevated)
+
 
 <br/>
 
@@ -140,4 +144,123 @@ cmd /c "net user #{username} /del >nul 2>&1"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Active Directory Create Admin Account
+Use Admin Credentials to Create A Domain Admin Account
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 562aa072-524e-459a-ba2b-91f1afccf5ab
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
+| admin_user | username@domain of a user with admin privileges | string | admin@example.test|
+| admin_password | password of the user with admin privileges referenced in admin_user | string | s3CurePssw0rD!|
+| domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo "dn: CN=Admin User,CN=Users,DC=#{domain},DC=#{top_level_domain}\nchangetype: add\nobjectClass: top\nobjectClass: person\nobjectClass: organizationalPerson\nobjectClass: user\ncn: Admin User\nsn: User\ngivenName: Atomic User\nuserPrincipalName: adminuser@#{domain}.#{top_level_domain}\nsAMAccountName: adminuser\nuserAccountControl: 512\nuserPassword: {CLEARTEXT}s3CureP4ssword123!\nmemberOf: CN=Domain Admins,CN=Users,DC=#{domain},DC=#{top_level_domain}" > tempadmin.ldif
+echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+```
+
+#### Cleanup Commands:
+```sh
+echo removing Atomic User (temporary user)
+echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+rm deleteuser.ldif
+rm tempadmin.ldif
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available
+##### Check Prereq Commands:
+```sh
+which ldapadd && which ldapmodify
+```
+##### Get Prereq Commands:
+```sh
+echo ldapadd or ldapmodify not found; exit 1
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Active Directory Create User Account (Non-elevated)
+Use Admin Credentials to Create A Normal Account (as means of entry)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 8c992cb3-a46e-4fd5-b005-b1bab185af31
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| domain | The domain to be tested | string | example|
+| top_level_domain | The top level domain (.com, .test, .remote, etc... following domain, minus the .) | string | test|
+| admin_user | username@domain of a user with admin privileges | string | user@example.test|
+| admin_password | password of the user | string | s3CurePssw0rD!|
+| domain_controller | Name of the domain_controller machine, defined in etc/hosts | string | adVM|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+echo "dn: cn=Atomic User, cn=Users,dc=#{domain},dc=#{top_level_domain}\nobjectClass: person\ncn: Atomic User\nsn: User" > tempadmin.ldif
+echo ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+ldapadd -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{admin_user} -w #{admin_password} -f tempadmin.ldif
+```
+
+#### Cleanup Commands:
+```sh
+echo removing Atomic User (temporary user)
+echo "dn: cn=Atomic User,cn=Users,dc=scwxscratch,dc=dev\nchangetype: delete" > deleteuser.ldif
+ldapmodify -H ldap://#{domain_controller}:389 -x -D #{admin_user} -w #{admin_password} -f deleteuser.ldif
+rm deleteuser.ldif
+rm tempadmin.ldif
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapadd, ldapmodify
+##### Check Prereq Commands:
+```sh
+which ldapadd
+which ldapmodify
+```
+##### Get Prereq Commands:
+```sh
+echo ldapadd or ldapmodify not found; exit 1
+```
+
+
+
+
 <br/>