Generate docs from job=validate_atomics_generate_docs branch=ATHPowerShellCommandLineParamter

atomics/Indexes/Indexes-CSV/index.csv

@@ -497,7 +497,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
 discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
 discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
-discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
+discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
 discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
 discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
@@ -629,6 +629,10 @@ execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-
 execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
 execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
 execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -309,7 +309,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
 discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
 discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
-discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
+discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
 discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
 discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
@@ -441,6 +441,10 @@ execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-
 execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
 execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
 execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
 execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -1089,6 +1089,10 @@
   - Atomic Test #12: PowerShell Downgrade Attack [windows]
   - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
   - Atomic Test #14: PowerShell Session Creation and Use [windows]
+  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -841,6 +841,10 @@
   - Atomic Test #12: PowerShell Downgrade Attack [windows]
   - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
   - Atomic Test #14: PowerShell Session Creation and Use [windows]
+  - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+  - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+  - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+  - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]

atomics/Indexes/index.yaml

@@ -29317,7 +29317,7 @@ defense-evasion:
     - name: Change Powershell Execution Policy to Bypass
       auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
       description: |
-        Attackers needs to change the powershell execution policy in order to run their malicious powershell scripts.
+        Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
         They can either specify it during the execution of the powershell script or change the registry value for it.
       supported_platforms:
       - windows
@@ -39120,13 +39120,28 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration
-          lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength
-          pwdhistorylength pwdproperties
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
-        name: powershell
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
+          lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
+          pwdproperties\n"
+        name: command_prompt
     - name: Adfind - Enumerate Active Directory Admins
       auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
       description: |
@@ -39134,10 +39149,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -sc admincountdmp\n"
         name: command_prompt
     - name: Adfind - Enumerate Active Directory User Objects
       auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
@@ -39146,10 +39176,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -f (objectcategory=person)\n"
         name: command_prompt
     - name: Adfind - Enumerate Active Directory Exchange AD Objects
       auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
@@ -39158,10 +39203,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -sc exchaddresses\n"
         name: command_prompt
   T1069.002:
     technique:
@@ -39338,10 +39398,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -f (objectcategory=group)\n"
         name: command_prompt
   T1482:
     technique:
@@ -39497,10 +39572,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
         name: command_prompt
     - name: Adfind - Enumerate Active Directory Trusts
       auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
@@ -39509,10 +39599,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -gcb -sc trustdmp\n"
         name: command_prompt
   T1087.003:
     technique:
@@ -41179,10 +41284,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -f (objectcategory=computer)\n"
         name: command_prompt
     - name: Adfind - Enumerate Active Directory Domain Controller Objects
       auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
@@ -41191,10 +41311,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -sc dclist\n"
         name: command_prompt
   T1518.001:
     technique:
@@ -41899,10 +42034,25 @@ discovery:
         reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
       supported_platforms:
       - windows
-      executor:
-        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+      input_arguments:
+        adfind_path:
+          description: Path to the AdFind executable
+          type: Path
+          default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
 
 '
+        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+          -OutFile #{adfind_path}
+
+'
+      executor:
+        command: "#{adfind_path} -f (objectcategory=subnet)\n"
         name: command_prompt
   T1049:
     technique:
@@ -44309,6 +44459,140 @@ execution:
           Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
           Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
           Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+    - name: ATHPowerShellCommandLineParameter -Command parameter variations
+      auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
+      description: Executes powershell.exe with variations of the -Command parameter
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line_switch_type:
+          description: The type of supported command-line switch to use
+          type: String
+          default: Hyphen
+        command_param_variation:
+          description: The "Command" parameter variation to use
+          type: String
+          default: C
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+          -CommandParamVariation #{command_param_variation} -Execute -ErrorAction
+          Stop'
+        name: powershell
+    - name: ATHPowerShellCommandLineParameter -Command parameter variations with encoded
+        arguments
+      auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
+      description: Executes powershell.exe with variations of the -Command parameter
+        with encoded arguments supplied
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line_switch_type:
+          description: The type of supported command-line switch to use
+          type: String
+          default: Hyphen
+        command_param_variation:
+          description: The "Command" parameter variation to use
+          type: String
+          default: C
+        encoded_arguments_param_variation:
+          description: The "EncodedArguments" parameter variation to use
+          type: String
+          default: EA
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+          -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation
+          #{encoded_arguments_param_variation} -Execute -ErrorAction Stop'
+        name: powershell
+    - name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+      auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+      description: Executes powershell.exe with variations of the -EncodedCommand
+        parameter
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line_switch_type:
+          description: The type of supported command-line switch to use
+          type: String
+          default: Hyphen
+        encoded_command_param_variation:
+          description: The "EncodedCommand" parameter variation to use
+          type: String
+          default: E
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+          -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute
+          -ErrorAction Stop'
+        name: powershell
+    - name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+        with encoded arguments
+      auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
+      description: Executes powershell.exe with variations of the -EncodedCommand
+        parameter with encoded arguments supplied
+      supported_platforms:
+      - windows
+      input_arguments:
+        encoded_command_param_variation:
+          description: The "EncodedCommand" parameter variation to use
+          type: String
+          default: E
+        command_line_switch_type:
+          description: The type of supported command-line switch to use
+          type: String
+          default: Hyphen
+        encoded_arguments_param_variation:
+          description: The "EncodedArguments" parameter variation to use
+          type: String
+          default: EncodedArguments
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+          -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments
+          -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute
+          -ErrorAction Stop'
+        name: powershell
   T1059.006:
     technique:
       external_references:

atomics/T1016/T1016.md

@@ -220,17 +220,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+#{adfind_path} -f (objectcategory=subnet)
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>

atomics/T1018/T1018.md

@@ -343,17 +343,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+#{adfind_path} -f (objectcategory=computer)
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>
@@ -368,17 +385,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+#{adfind_path} -sc dclist
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>

atomics/T1059.001/T1059.001.md

@@ -38,6 +38,14 @@ PowerShell commands/scripts can also be executed without directly invoking the <
 
 - [Atomic Test #14 - PowerShell Session Creation and Use](#atomic-test-14---powershell-session-creation-and-use)
 
+- [Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-15---athpowershellcommandlineparameter--command-parameter-variations)
+
+- [Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-16---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments)
+
+- [Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-17---athpowershellcommandlineparameter--encodedcommand-parameter-variations)
+
+- [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)
+
 
 <br/>
 
@@ -510,4 +518,182 @@ Enable-PSRemoting
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations
+Executes powershell.exe with variations of the -Command parameter
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| command_param_variation | The "Command" parameter variation to use | String | C|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
+Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| command_param_variation | The "Command" parameter variation to use | String | C|
+| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | String | EA|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+Executes powershell.exe with variations of the -EncodedCommand parameter
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
+Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | String | EncodedArguments|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>

atomics/T1059.001/T1059.001.yaml

@@ -265,6 +265,7 @@ atomic_tests:
       Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
 
 - name: ATHPowerShellCommandLineParameter -Command parameter variations
+  auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
   description: Executes powershell.exe with variations of the -Command parameter
   supported_platforms:
   - windows
@@ -290,6 +291,7 @@ atomic_tests:
     name: powershell
 
 - name: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
+  auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
   description: Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
   supported_platforms:
   - windows
@@ -319,6 +321,7 @@ atomic_tests:
     name: powershell
 
 - name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+  auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
   description: Executes powershell.exe with variations of the -EncodedCommand parameter
   supported_platforms:
   - windows
@@ -344,6 +347,7 @@ atomic_tests:
     name: powershell
 
 - name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
+  auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
   description: Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
   supported_platforms:
   - windows

atomics/T1069.002/T1069.002.md

@@ -241,17 +241,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+#{adfind_path} -f (objectcategory=group)
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>

atomics/T1087.002/T1087.002.md

@@ -162,17 +162,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne
 
 
 
-
-#### Attack Commands: Run with `powershell`! 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
 
 
-```powershell
-PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>
@@ -187,17 +204,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+#{adfind_path} -sc admincountdmp
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>
@@ -212,17 +246,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+#{adfind_path} -f (objectcategory=person)
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>
@@ -237,17 +288,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+#{adfind_path} -sc exchaddresses
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>

atomics/T1112/T1112.md

@@ -192,7 +192,7 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
 <br/>
 
 ## Atomic Test #6 - Change Powershell Execution Policy to Bypass
-Attackers needs to change the powershell execution policy in order to run their malicious powershell scripts.
+Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
 They can either specify it during the execution of the powershell script or change the registry value for it.
 
 **Supported Platforms:** Windows

atomics/T1482/T1482.md

@@ -139,17 +139,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+#{adfind_path} -f (objectcategory=organizationalUnit)
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>
@@ -164,17 +181,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
+
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+#{adfind_path} -gcb -sc trustdmp
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
 
 
 <br/>

atomics/used_guids.txt

@@ -607,3 +607,8 @@ e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
 5e2938fb-f919-47b6-8b29-2f6a1f718e99
 d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
 15fe436d-e771-4ff3-b655-2dca9ba52834
+686a9785-f99b-41d4-90df-66ed515f81d7
+1c0a870f-dc74-49cf-9afc-eccc45e58790
+86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+0d181431-ddf3-4826-8055-2dbf63ae848b
+f3a6cceb-06c9-48e5-8df8-8867a6814245