diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml index c025bf37..6f64b6e2 100644 --- a/atomics/Indexes/azure-ad-index.yaml +++ b/atomics/Indexes/azure-ad-index.yaml @@ -45669,7 +45669,7 @@ credential-access: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -51425,7 +51425,7 @@ discovery: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml index a9495f29..03b7f187 100644 --- a/atomics/Indexes/iaas_aws-index.yaml +++ b/atomics/Indexes/iaas_aws-index.yaml @@ -11964,7 +11964,7 @@ defense-evasion: echo "*** Log Group Created ***" aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json echo "*** Log Group Deleted ***" - cleanup_command: + cleanup_command: name: sh elevation_required: false - name: AWS CloudWatch Log Stream Deletes @@ -12009,7 +12009,7 @@ defense-evasion: echo "*** Log Stream Deleted ***" aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json echo "*** Log Group Deleted ***" - cleanup_command: + cleanup_command: name: sh elevation_required: false T1564.003: diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml index 9b9aa742..4cf5fdb3 100644 --- a/atomics/Indexes/iaas_azure-index.yaml +++ b/atomics/Indexes/iaas_azure-index.yaml @@ -11655,11 +11655,11 @@ defense-evasion: username: description: Azure username type: string - default: + default: password: description: Azure password type: string - default: + default: event_hub_name: description: Name of the eventhub type: string @@ -11667,11 +11667,11 @@ defense-evasion: resource_group: description: Name of the resource group type: string - default: + default: name_space_name: description: Name of the NameSpace type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'Install-Module -Name Az @@ -40955,11 +40955,11 @@ collection: container_name: description: Container name to search for (optional) type: string - default: + default: blob_name: description: Blob name to search for (optional) type: string - default: + default: executor: command: | try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"} @@ -47519,7 +47519,7 @@ credential-access: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -47531,7 +47531,7 @@ credential-access: subscription_id: description: Azure subscription id to search type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads. @@ -52336,7 +52336,7 @@ discovery: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -52348,7 +52348,7 @@ discovery: subscription_name: description: Azure subscription name to scan type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads. @@ -52395,15 +52395,15 @@ discovery: client_id: description: Azure AD client ID type: string - default: + default: client_secret: description: Azure AD client secret type: string - default: + default: tenant_id: description: Azure AD tenant ID type: string - default: + default: cloud: description: Azure cloud environment type: string diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d8a0d36f..28eee3ea 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -771,7 +771,7 @@ defense-evasion: default: "'%windir%\\System32\\calc.exe'" executor: command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}" - cleanup_command: + cleanup_command: name: powershell elevation_required: false T1027.009: @@ -8006,7 +8006,7 @@ defense-evasion: default: C:\Windows\System32\calc.exe executor: command: Scriptrunner.exe -appvscript "#{payload_path}" - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Indirect Command Execution - RunMRU Dialog @@ -8441,7 +8441,7 @@ defense-evasion: text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)''' - cleanup_command: + cleanup_command: name: bash elevation_required: false T1562: @@ -17693,7 +17693,7 @@ defense-evasion: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: string - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: path @@ -22268,11 +22268,11 @@ defense-evasion: username: description: office-365 username type: string - default: + default: password: description: office-365 password type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed @@ -27042,11 +27042,11 @@ defense-evasion: username: description: Azure username type: string - default: + default: password: description: Azure password type: string - default: + default: event_hub_name: description: Name of the eventhub type: string @@ -27054,11 +27054,11 @@ defense-evasion: resource_group: description: Name of the resource group type: string - default: + default: name_space_name: description: Name of the NameSpace type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'Install-Module -Name Az @@ -27121,11 +27121,11 @@ defense-evasion: username: description: office-365 username type: string - default: + default: password: description: office-365 password type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed @@ -27376,7 +27376,7 @@ defense-evasion: echo "*** Log Group Created ***" aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json echo "*** Log Group Deleted ***" - cleanup_command: + cleanup_command: name: sh elevation_required: false - name: AWS CloudWatch Log Stream Deletes @@ -27421,7 +27421,7 @@ defense-evasion: echo "*** Log Stream Deleted ***" aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json echo "*** Log Group Deleted ***" - cleanup_command: + cleanup_command: name: sh elevation_required: false - name: Office 365 - Set Audit Bypass For a Mailbox @@ -53229,7 +53229,7 @@ execution: ' type: url - default: + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. @@ -56145,7 +56145,7 @@ execution: - linux executor: command: busybox sh & - cleanup_command: + cleanup_command: name: sh elevation_required: false - name: emacs spawning an interactive system shell @@ -76794,7 +76794,7 @@ command-and-control: MSP360_Download_Url: description: URL to download MSP360 Connect from type: url - default: + default: dependency_executor_name: powershell dependencies: - description: 'MSP360 must exist at (#{MSP360_Connect_Path}) @@ -83392,11 +83392,11 @@ collection: container_name: description: Container name to search for (optional) type: string - default: + default: blob_name: description: Blob name to search for (optional) type: string - default: + default: executor: command: | try{$response = invoke-webrequest "https://#{base_name}.blob.core.windows.net/#{container_name}/#{blob_name}" -method "GET"} @@ -84613,11 +84613,11 @@ collection: username: description: office-365 username type: string - default: + default: password: description: office-365 password type: string - default: + default: rule_name: description: email rule name type: string @@ -85036,23 +85036,23 @@ collection: and Application.ReadWrite.All Scope (eg, Global Administrator Role) and sign-in method is password type: string - default: + default: password: description: Entra user password type: string - default: + default: 1st_target_mailbox: description: office-365 target_email_address type: string - default: + default: 2nd_target_mailbox: description: office-365 target_email_address type: string - default: + default: 3rd_target_mailbox: description: office-365 target_email_address type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'Microsoft Graph PowerShell SDK must be installed. @@ -87089,7 +87089,7 @@ lateral-movement: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: string - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: path @@ -90221,7 +90221,7 @@ credential-access: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -96449,7 +96449,7 @@ credential-access: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -96461,7 +96461,7 @@ credential-access: subscription_id: description: Azure subscription id to search type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'The Get-AzurePasswords script must exist in PathToAtomicsFolder\..\ExternalPayloads. @@ -99050,7 +99050,7 @@ credential-access: description: command flags you would like to run (optional and blank by default) type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined @@ -100677,7 +100677,7 @@ discovery: command: | driverquery /v /fo list driverquery /si /fo list - cleanup_command: + cleanup_command: name: powershell elevation_required: false T1087.002: @@ -100828,7 +100828,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -100861,7 +100861,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -100893,7 +100893,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -100925,7 +100925,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -101150,7 +101150,7 @@ discovery: default: "$env:computername" executor: command: 'Get-ADComputer #{hostname} -Properties *' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property @@ -101166,7 +101166,7 @@ discovery: default: "$env:computername" executor: command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and @@ -101180,7 +101180,7 @@ discovery: executor: command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties * - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with adfind all properties @@ -101195,7 +101195,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: domain: description: Domain of the host type: string @@ -101205,7 +101205,7 @@ discovery: -h #{domain} -s subtree -f "objectclass=computer" * ' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd @@ -101220,7 +101220,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: domain: description: Domain of the host type: string @@ -101230,7 +101230,7 @@ discovery: -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime ' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Active Directory Domain Search @@ -101992,7 +101992,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -103752,7 +103752,7 @@ discovery: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -105082,7 +105082,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -105390,7 +105390,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -105422,7 +105422,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -107951,7 +107951,7 @@ discovery: username: description: Azure AD username type: string - default: + default: password: description: Azure AD password type: string @@ -107963,7 +107963,7 @@ discovery: subscription_name: description: Azure subscription name to scan type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'The Get-AzDomainInfo script must exist in PathToAtomicsFolder\..\ExternalPayloads. @@ -108067,15 +108067,15 @@ discovery: client_id: description: Azure AD client ID type: string - default: + default: client_secret: description: Azure AD client secret type: string - default: + default: tenant_id: description: Azure AD tenant ID type: string - default: + default: cloud: description: Azure cloud environment type: string @@ -108411,7 +108411,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -108443,7 +108443,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -121955,7 +121955,7 @@ exfiltration: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'DNSExfiltrator powershell file must exist on disk at specified @@ -122702,11 +122702,11 @@ exfiltration: username: description: Username for FTP server login type: string - default: + default: password: description: Password for FTP server login type: string - default: + default: executor: command: | $Dir_to_copy = "$env:windir\temp" diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml index 56809b30..1406f4aa 100644 --- a/atomics/Indexes/linux-index.yaml +++ b/atomics/Indexes/linux-index.yaml @@ -4953,7 +4953,7 @@ defense-evasion: text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)''' - cleanup_command: + cleanup_command: name: bash elevation_required: false T1562: @@ -32070,7 +32070,7 @@ execution: - linux executor: command: busybox sh & - cleanup_command: + cleanup_command: name: sh elevation_required: false - name: emacs spawning an interactive system shell diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml index 76a2f619..1e4f74cb 100644 --- a/atomics/Indexes/macos-index.yaml +++ b/atomics/Indexes/macos-index.yaml @@ -4511,7 +4511,7 @@ defense-evasion: text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)''' - cleanup_command: + cleanup_command: name: bash elevation_required: false T1562: diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml index 019a2284..75e0d276 100644 --- a/atomics/Indexes/office-365-index.yaml +++ b/atomics/Indexes/office-365-index.yaml @@ -9410,11 +9410,11 @@ defense-evasion: username: description: office-365 username type: string - default: + default: password: description: office-365 password type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed @@ -11698,11 +11698,11 @@ defense-evasion: username: description: office-365 username type: string - default: + default: password: description: office-365 password type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed @@ -41363,11 +41363,11 @@ collection: username: description: office-365 username type: string - default: + default: password: description: office-365 password type: string - default: + default: rule_name: description: email rule name type: string @@ -41646,23 +41646,23 @@ collection: and Application.ReadWrite.All Scope (eg, Global Administrator Role) and sign-in method is password type: string - default: + default: password: description: Entra user password type: string - default: + default: 1st_target_mailbox: description: office-365 target_email_address type: string - default: + default: 2nd_target_mailbox: description: office-365 target_email_address type: string - default: + default: 3rd_target_mailbox: description: office-365 target_email_address type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'Microsoft Graph PowerShell SDK must be installed. diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index eae72c4e..7b1ae460 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -771,7 +771,7 @@ defense-evasion: default: "'%windir%\\System32\\calc.exe'" executor: command: rundll32.exe zipfldr.dll,RouteTheCall "#{exe_to_launch}" - cleanup_command: + cleanup_command: name: powershell elevation_required: false T1027.009: @@ -6328,7 +6328,7 @@ defense-evasion: default: C:\Windows\System32\calc.exe executor: command: Scriptrunner.exe -appvscript "#{payload_path}" - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Indirect Command Execution - RunMRU Dialog @@ -14425,7 +14425,7 @@ defense-evasion: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: string - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: path @@ -44193,7 +44193,7 @@ execution: ' type: url - default: + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. @@ -63423,7 +63423,7 @@ command-and-control: MSP360_Download_Url: description: URL to download MSP360 Connect from type: url - default: + default: dependency_executor_name: powershell dependencies: - description: 'MSP360 must exist at (#{MSP360_Connect_Path}) @@ -72021,7 +72021,7 @@ lateral-movement: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: string - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: path @@ -81679,7 +81679,7 @@ credential-access: description: command flags you would like to run (optional and blank by default) type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined @@ -83079,7 +83079,7 @@ discovery: command: | driverquery /v /fo list driverquery /si /fo list - cleanup_command: + cleanup_command: name: powershell elevation_required: false T1087.002: @@ -83230,7 +83230,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -83263,7 +83263,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -83295,7 +83295,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -83327,7 +83327,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -83552,7 +83552,7 @@ discovery: default: "$env:computername" executor: command: 'Get-ADComputer #{hostname} -Properties *' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property @@ -83568,7 +83568,7 @@ discovery: default: "$env:computername" executor: command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and @@ -83582,7 +83582,7 @@ discovery: executor: command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties * - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with adfind all properties @@ -83597,7 +83597,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: domain: description: Domain of the host type: string @@ -83607,7 +83607,7 @@ discovery: -h #{domain} -s subtree -f "objectclass=computer" * ' - cleanup_command: + cleanup_command: name: powershell elevation_required: false - name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd @@ -83622,7 +83622,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: domain: description: Domain of the host type: string @@ -83632,7 +83632,7 @@ discovery: -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime ' - cleanup_command: + cleanup_command: name: powershell elevation_required: false T1087.001: @@ -84115,7 +84115,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -86170,7 +86170,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -86458,7 +86458,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -86490,7 +86490,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -88817,7 +88817,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -88849,7 +88849,7 @@ discovery: it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -100901,7 +100901,7 @@ exfiltration: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: string - default: + default: dependency_executor_name: powershell dependencies: - description: 'DNSExfiltrator powershell file must exist on disk at specified @@ -101525,11 +101525,11 @@ exfiltration: username: description: Username for FTP server login type: string - default: + default: password: description: Password for FTP server login type: string - default: + default: executor: command: | $Dir_to_copy = "$env:windir\temp"