security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-01-16 00:41:19 +00:00
parent 818c23bdab
commit 059c77f008
8 changed files with 117 additions and 117 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/azure-ad-index.yaml
+2 -2
View File
@@ -45669,7 +45669,7 @@ credential-access:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -51425,7 +51425,7 @@ discovery:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
atomics/Indexes/iaas_aws-index.yaml
+2 -2
View File
@@ -11964,7 +11964,7 @@ defense-evasion:
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
cleanup_command:
name: sh
elevation_required: false
- name: AWS CloudWatch Log Stream Deletes
@@ -12009,7 +12009,7 @@ defense-evasion:
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
cleanup_command:
name: sh
elevation_required: false
T1564.003:
atomics/Indexes/iaas_azure-index.yaml
+13 -13
View File
@@ -11655,11 +11655,11 @@ defense-evasion:
username:
description: Azure username
type: string
default:
default:
password:
description: Azure password
type: string
default:
default:
event_hub_name:
description: Name of the eventhub
type: string
@@ -11667,11 +11667,11 @@ defense-evasion:
resource_group:
description: Name of the resource group
type: string
default:
default:
name_space_name:
description: Name of the NameSpace
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Install-Module -Name Az
@@ -40955,11 +40955,11 @@ collection:
container_name:
description: Container name to search for (optional)
type: string
default:
default:
blob_name:
description: Blob name to search for (optional)
type: string
default:
default:
executor:
command: |
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
@@ -47519,7 +47519,7 @@ credential-access:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -47531,7 +47531,7 @@ credential-access:
subscription_id:
description: Azure subscription id to search
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -52336,7 +52336,7 @@ discovery:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -52348,7 +52348,7 @@ discovery:
subscription_name:
description: Azure subscription name to scan
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -52395,15 +52395,15 @@ discovery:
client_id:
description: Azure AD client ID
type: string
default:
default:
client_secret:
description: Azure AD client secret
type: string
default:
default:
tenant_id:
description: Azure AD tenant ID
type: string
default:
default:
cloud:
description: Azure cloud environment
type: string
atomics/Indexes/index.yaml
+58 -58
View File
@@ -771,7 +771,7 @@ defense-evasion:
default: "'%windir%\\System32\\calc.exe'"
executor:
command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
T1027.009:
@@ -8006,7 +8006,7 @@ defense-evasion:
default: C:\Windows\System32\calc.exe
executor:
command: Scriptrunner.exe -appvscript "#{payload_path}"
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Indirect Command Execution - RunMRU Dialog
@@ -8441,7 +8441,7 @@ defense-evasion:
text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
key); subprocess.call(exec, shell=True)'''
cleanup_command:
cleanup_command:
name: bash
elevation_required: false
T1562:
@@ -17693,7 +17693,7 @@ defense-evasion:
description: Ticket file name usually format of 'id-username\@domain.kirbi'
(e.g. can be dumped by "sekurlsa::tickets /export" module)
type: string
default:
default:
mimikatz_exe:
description: Path of the Mimikatz binary
type: path
@@ -22268,11 +22268,11 @@ defense-evasion:
username:
description: office-365 username
type: string
default:
default:
password:
description: office-365 password
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -27042,11 +27042,11 @@ defense-evasion:
username:
description: Azure username
type: string
default:
default:
password:
description: Azure password
type: string
default:
default:
event_hub_name:
description: Name of the eventhub
type: string
@@ -27054,11 +27054,11 @@ defense-evasion:
resource_group:
description: Name of the resource group
type: string
default:
default:
name_space_name:
description: Name of the NameSpace
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Install-Module -Name Az
@@ -27121,11 +27121,11 @@ defense-evasion:
username:
description: office-365 username
type: string
default:
default:
password:
description: office-365 password
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -27376,7 +27376,7 @@ defense-evasion:
echo "*** Log Group Created ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
cleanup_command:
name: sh
elevation_required: false
- name: AWS CloudWatch Log Stream Deletes
@@ -27421,7 +27421,7 @@ defense-evasion:
echo "*** Log Stream Deleted ***"
aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json
echo "*** Log Group Deleted ***"
cleanup_command:
cleanup_command:
name: sh
elevation_required: false
- name: Office 365 - Set Audit Bypass For a Mailbox
@@ -53229,7 +53229,7 @@ execution:
'
type: url
default:
default:
c2_parent_directory:
description: |
Parent directory where you have the "malicious" file on c2_domain server.
@@ -56145,7 +56145,7 @@ execution:
- linux
executor:
command: busybox sh &
cleanup_command:
cleanup_command:
name: sh
elevation_required: false
- name: emacs spawning an interactive system shell
@@ -76794,7 +76794,7 @@ command-and-control:
MSP360_Download_Url:
description: URL to download MSP360 Connect from
type: url
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'MSP360 must exist at (#{MSP360_Connect_Path})
@@ -83392,11 +83392,11 @@ collection:
container_name:
description: Container name to search for (optional)
type: string
default:
default:
blob_name:
description: Blob name to search for (optional)
type: string
default:
default:
executor:
command: |
try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"}
@@ -84613,11 +84613,11 @@ collection:
username:
description: office-365 username
type: string
default:
default:
password:
description: office-365 password
type: string
default:
default:
rule_name:
description: email rule name
type: string
@@ -85036,23 +85036,23 @@ collection:
and Application.ReadWrite.All Scope (eg, Global Administrator Role) and
sign-in method is password
type: string
default:
default:
password:
description: Entra user password
type: string
default:
default:
1st_target_mailbox:
description: office-365 target_email_address
type: string
default:
default:
2nd_target_mailbox:
description: office-365 target_email_address
type: string
default:
default:
3rd_target_mailbox:
description: office-365 target_email_address
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Graph PowerShell SDK must be installed.
@@ -87089,7 +87089,7 @@ lateral-movement:
description: Ticket file name usually format of 'id-username\@domain.kirbi'
(e.g. can be dumped by "sekurlsa::tickets /export" module)
type: string
default:
default:
mimikatz_exe:
description: Path of the Mimikatz binary
type: path
@@ -90221,7 +90221,7 @@ credential-access:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -96449,7 +96449,7 @@ credential-access:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -96461,7 +96461,7 @@ credential-access:
subscription_id:
description: Azure subscription id to search
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -99050,7 +99050,7 @@ credential-access:
description: command flags you would like to run (optional and blank by
default)
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Computer must be domain joined
@@ -100677,7 +100677,7 @@ discovery:
command: |
driverquery /v /fo list
driverquery /si /fo list
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
T1087.002:
@@ -100828,7 +100828,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100861,7 +100861,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100893,7 +100893,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100925,7 +100925,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -101150,7 +101150,7 @@ discovery:
default: "$env:computername"
executor:
command: 'Get-ADComputer #{hostname} -Properties *'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
@@ -101166,7 +101166,7 @@ discovery:
default: "$env:computername"
executor:
command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and
@@ -101180,7 +101180,7 @@ discovery:
executor:
command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties
*
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with adfind all properties
@@ -101195,7 +101195,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
domain:
description: Domain of the host
type: string
@@ -101205,7 +101205,7 @@ discovery:
-h #{domain} -s subtree -f "objectclass=computer" *
'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
@@ -101220,7 +101220,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
domain:
description: Domain of the host
type: string
@@ -101230,7 +101230,7 @@ discovery:
-h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Active Directory Domain Search
@@ -101992,7 +101992,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -103752,7 +103752,7 @@ discovery:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -105082,7 +105082,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -105390,7 +105390,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -105422,7 +105422,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -107951,7 +107951,7 @@ discovery:
username:
description: Azure AD username
type: string
default:
default:
password:
description: Azure AD password
type: string
@@ -107963,7 +107963,7 @@ discovery:
subscription_name:
description: Azure subscription name to scan
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads.
@@ -108067,15 +108067,15 @@ discovery:
client_id:
description: Azure AD client ID
type: string
default:
default:
client_secret:
description: Azure AD client secret
type: string
default:
default:
tenant_id:
description: Azure AD tenant ID
type: string
default:
default:
cloud:
description: Azure cloud environment
type: string
@@ -108411,7 +108411,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -108443,7 +108443,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -121955,7 +121955,7 @@ exfiltration:
description: Set to '-b32' to use base32 encoding of data. Might be required
by some DNS resolvers.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'DNSExfiltrator powershell file must exist on disk at specified
@@ -122702,11 +122702,11 @@ exfiltration:
username:
description: Username for FTP server login
type: string
default:
default:
password:
description: Password for FTP server login
type: string
default:
default:
executor:
command: |
$Dir_to_copy = "$env:windir\temp"
atomics/Indexes/linux-index.yaml
+2 -2
View File
@@ -4953,7 +4953,7 @@ defense-evasion:
text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
key); subprocess.call(exec, shell=True)'''
cleanup_command:
cleanup_command:
name: bash
elevation_required: false
T1562:
@@ -32070,7 +32070,7 @@ execution:
- linux
executor:
command: busybox sh &
cleanup_command:
cleanup_command:
name: sh
elevation_required: false
- name: emacs spawning an interactive system shell
atomics/Indexes/macos-index.yaml
+1 -1
View File
@@ -4511,7 +4511,7 @@ defense-evasion:
text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()),
key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command,
key); subprocess.call(exec, shell=True)'''
cleanup_command:
cleanup_command:
name: bash
elevation_required: false
T1562:
atomics/Indexes/office-365-index.yaml
+11 -11
View File
@@ -9410,11 +9410,11 @@ defense-evasion:
username:
description: office-365 username
type: string
default:
default:
password:
description: office-365 password
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -11698,11 +11698,11 @@ defense-evasion:
username:
description: office-365 username
type: string
default:
default:
password:
description: office-365 password
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
@@ -41363,11 +41363,11 @@ collection:
username:
description: office-365 username
type: string
default:
default:
password:
description: office-365 password
type: string
default:
default:
rule_name:
description: email rule name
type: string
@@ -41646,23 +41646,23 @@ collection:
and Application.ReadWrite.All Scope (eg, Global Administrator Role) and
sign-in method is password
type: string
default:
default:
password:
description: Entra user password
type: string
default:
default:
1st_target_mailbox:
description: office-365 target_email_address
type: string
default:
default:
2nd_target_mailbox:
description: office-365 target_email_address
type: string
default:
default:
3rd_target_mailbox:
description: office-365 target_email_address
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Microsoft Graph PowerShell SDK must be installed.
atomics/Indexes/windows-index.yaml
+28 -28
View File
@@ -771,7 +771,7 @@ defense-evasion:
default: "'%windir%\\System32\\calc.exe'"
executor:
command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}"
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
T1027.009:
@@ -6328,7 +6328,7 @@ defense-evasion:
default: C:\Windows\System32\calc.exe
executor:
command: Scriptrunner.exe -appvscript "#{payload_path}"
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Indirect Command Execution - RunMRU Dialog
@@ -14425,7 +14425,7 @@ defense-evasion:
description: Ticket file name usually format of 'id-username\@domain.kirbi'
(e.g. can be dumped by "sekurlsa::tickets /export" module)
type: string
default:
default:
mimikatz_exe:
description: Path of the Mimikatz binary
type: path
@@ -44193,7 +44193,7 @@ execution:
'
type: url
default:
default:
c2_parent_directory:
description: |
Parent directory where you have the "malicious" file on c2_domain server.
@@ -63423,7 +63423,7 @@ command-and-control:
MSP360_Download_Url:
description: URL to download MSP360 Connect from
type: url
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'MSP360 must exist at (#{MSP360_Connect_Path})
@@ -72021,7 +72021,7 @@ lateral-movement:
description: Ticket file name usually format of 'id-username\@domain.kirbi'
(e.g. can be dumped by "sekurlsa::tickets /export" module)
type: string
default:
default:
mimikatz_exe:
description: Path of the Mimikatz binary
type: path
@@ -81679,7 +81679,7 @@ credential-access:
description: command flags you would like to run (optional and blank by
default)
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'Computer must be domain joined
@@ -83079,7 +83079,7 @@ discovery:
command: |
driverquery /v /fo list
driverquery /si /fo list
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
T1087.002:
@@ -83230,7 +83230,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -83263,7 +83263,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -83295,7 +83295,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -83327,7 +83327,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -83552,7 +83552,7 @@ discovery:
default: "$env:computername"
executor:
command: 'Get-ADComputer #{hostname} -Properties *'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
@@ -83568,7 +83568,7 @@ discovery:
default: "$env:computername"
executor:
command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and
@@ -83582,7 +83582,7 @@ discovery:
executor:
command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties
*
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with adfind all properties
@@ -83597,7 +83597,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
domain:
description: Domain of the host
type: string
@@ -83607,7 +83607,7 @@ discovery:
-h #{domain} -s subtree -f "objectclass=computer" *
'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
@@ -83622,7 +83622,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
domain:
description: Domain of the host
type: string
@@ -83632,7 +83632,7 @@ discovery:
-h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
'
cleanup_command:
cleanup_command:
name: powershell
elevation_required: false
T1087.001:
@@ -84115,7 +84115,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -86170,7 +86170,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -86458,7 +86458,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -86490,7 +86490,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -88817,7 +88817,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -88849,7 +88849,7 @@ discovery:
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -100901,7 +100901,7 @@ exfiltration:
description: Set to '-b32' to use base32 encoding of data. Might be required
by some DNS resolvers.
type: string
default:
default:
dependency_executor_name: powershell
dependencies:
- description: 'DNSExfiltrator powershell file must exist on disk at specified
@@ -101525,11 +101525,11 @@ exfiltration:
username:
description: Username for FTP server login
type: string
default:
default:
password:
description: Password for FTP server login
type: string
default:
default:
executor:
command: |
$Dir_to_copy = "$env:windir\temp"