diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index bac3c9f2..9db27fe1 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -497,7 +497,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
-discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
+discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
@@ -629,6 +629,10 @@ execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 5b1499d2..b7e5be48 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -309,7 +309,7 @@ discovery,T1087.002,Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5a
discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
-discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
+discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,command_prompt
discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
@@ -441,6 +441,10 @@ execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
+execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command parameter variations,686a9785-f99b-41d4-90df-66ed515f81d7,powershell
+execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell
+execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell
+execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 460f8ba8..a7844981 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1089,6 +1089,10 @@
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
+ - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+ - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+ - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 2ce1aa96..527cf45c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -841,6 +841,10 @@
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
+ - Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
+ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
+ - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
+ - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 9a8c0529..bb0b0916 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -29317,7 +29317,7 @@ defense-evasion:
- name: Change Powershell Execution Policy to Bypass
auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
description: |
- Attackers needs to change the powershell execution policy in order to run their malicious powershell scripts.
+ Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
They can either specify it during the execution of the powershell script or change the registry value for it.
supported_platforms:
- windows
@@ -39120,13 +39120,28 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration
- lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength
- pwdhistorylength pwdproperties
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
- name: powershell
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
+ lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
+ pwdproperties\n"
+ name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
description: |
@@ -39134,10 +39149,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -sc admincountdmp\n"
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
@@ -39146,10 +39176,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -f (objectcategory=person)\n"
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
@@ -39158,10 +39203,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -sc exchaddresses\n"
name: command_prompt
T1069.002:
technique:
@@ -39338,10 +39398,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -f (objectcategory=group)\n"
name: command_prompt
T1482:
technique:
@@ -39497,10 +39572,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
name: command_prompt
- name: Adfind - Enumerate Active Directory Trusts
auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
@@ -39509,10 +39599,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -gcb -sc trustdmp\n"
name: command_prompt
T1087.003:
technique:
@@ -41179,10 +41284,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -f (objectcategory=computer)\n"
name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
@@ -41191,10 +41311,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -sc dclist\n"
name: command_prompt
T1518.001:
technique:
@@ -41899,10 +42034,25 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
- executor:
- command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+ input_arguments:
+ adfind_path:
+ description: Path to the AdFind executable
+ type: Path
+ default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
'
+ prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
+ -OutFile #{adfind_path}
+
+'
+ executor:
+ command: "#{adfind_path} -f (objectcategory=subnet)\n"
name: command_prompt
T1049:
technique:
@@ -44309,6 +44459,140 @@ execution:
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+ - name: ATHPowerShellCommandLineParameter -Command parameter variations
+ auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
+ description: Executes powershell.exe with variations of the -Command parameter
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line_switch_type:
+ description: The type of supported command-line switch to use
+ type: String
+ default: Hyphen
+ command_param_variation:
+ description: The "Command" parameter variation to use
+ type: String
+ default: C
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+ -CommandParamVariation #{command_param_variation} -Execute -ErrorAction
+ Stop'
+ name: powershell
+ - name: ATHPowerShellCommandLineParameter -Command parameter variations with encoded
+ arguments
+ auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
+ description: Executes powershell.exe with variations of the -Command parameter
+ with encoded arguments supplied
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line_switch_type:
+ description: The type of supported command-line switch to use
+ type: String
+ default: Hyphen
+ command_param_variation:
+ description: The "Command" parameter variation to use
+ type: String
+ default: C
+ encoded_arguments_param_variation:
+ description: The "EncodedArguments" parameter variation to use
+ type: String
+ default: EA
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+ -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation
+ #{encoded_arguments_param_variation} -Execute -ErrorAction Stop'
+ name: powershell
+ - name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+ auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+ description: Executes powershell.exe with variations of the -EncodedCommand
+ parameter
+ supported_platforms:
+ - windows
+ input_arguments:
+ command_line_switch_type:
+ description: The type of supported command-line switch to use
+ type: String
+ default: Hyphen
+ encoded_command_param_variation:
+ description: The "EncodedCommand" parameter variation to use
+ type: String
+ default: E
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+ -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute
+ -ErrorAction Stop'
+ name: powershell
+ - name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+ with encoded arguments
+ auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
+ description: Executes powershell.exe with variations of the -EncodedCommand
+ parameter with encoded arguments supplied
+ supported_platforms:
+ - windows
+ input_arguments:
+ encoded_command_param_variation:
+ description: The "EncodedCommand" parameter variation to use
+ type: String
+ default: E
+ command_line_switch_type:
+ description: The type of supported command-line switch to use
+ type: String
+ default: Hyphen
+ encoded_arguments_param_variation:
+ description: The "EncodedArguments" parameter variation to use
+ type: String
+ default: EncodedArguments
+ dependencies:
+ - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter
+ must be exported in the module.
+ prereq_command: |-
+ $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+ if (-not $RequiredModule) {exit 1}
+ if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+ get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+ -Force
+
+'
+ executor:
+ command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
+ -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments
+ -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute
+ -ErrorAction Stop'
+ name: powershell
T1059.006:
technique:
external_references:
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index 447bb76e..5438e0a3 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -220,17 +220,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+#{adfind_path} -f (objectcategory=subnet)
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 24b999a0..4a10e2cb 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -343,17 +343,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+#{adfind_path} -f (objectcategory=computer)
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
@@ -368,17 +385,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+#{adfind_path} -sc dclist
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md
index ebbf5afe..8345c90c 100644
--- a/atomics/T1059.001/T1059.001.md
+++ b/atomics/T1059.001/T1059.001.md
@@ -38,6 +38,14 @@ PowerShell commands/scripts can also be executed without directly invoking the <
- [Atomic Test #14 - PowerShell Session Creation and Use](#atomic-test-14---powershell-session-creation-and-use)
+- [Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations](#atomic-test-15---athpowershellcommandlineparameter--command-parameter-variations)
+
+- [Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments](#atomic-test-16---athpowershellcommandlineparameter--command-parameter-variations-with-encoded-arguments)
+
+- [Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations](#atomic-test-17---athpowershellcommandlineparameter--encodedcommand-parameter-variations)
+
+- [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments)
+
@@ -510,4 +518,182 @@ Enable-PSRemoting
+
+
+
+## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations
+Executes powershell.exe with variations of the -Command parameter
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| command_param_variation | The "Command" parameter variation to use | String | C|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
+Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| command_param_variation | The "Command" parameter variation to use | String | C|
+| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | String | EA|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+Executes powershell.exe with variations of the -EncodedCommand parameter
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+
+
+
+## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
+Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
+| command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
+| encoded_arguments_param_variation | The "EncodedArguments" parameter variation to use | String | EncodedArguments|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml
index 3517ac72..23915cf6 100644
--- a/atomics/T1059.001/T1059.001.yaml
+++ b/atomics/T1059.001/T1059.001.yaml
@@ -265,6 +265,7 @@ atomic_tests:
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
- name: ATHPowerShellCommandLineParameter -Command parameter variations
+ auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
description: Executes powershell.exe with variations of the -Command parameter
supported_platforms:
- windows
@@ -290,6 +291,7 @@ atomic_tests:
name: powershell
- name: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
+ auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
description: Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
supported_platforms:
- windows
@@ -319,6 +321,7 @@ atomic_tests:
name: powershell
- name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
+ auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
description: Executes powershell.exe with variations of the -EncodedCommand parameter
supported_platforms:
- windows
@@ -344,6 +347,7 @@ atomic_tests:
name: powershell
- name: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
+ auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
description: Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
supported_platforms:
- windows
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md
index 712f54a0..632eccd0 100644
--- a/atomics/T1069.002/T1069.002.md
+++ b/atomics/T1069.002/T1069.002.md
@@ -241,17 +241,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+#{adfind_path} -f (objectcategory=group)
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index f119a26d..e73c9728 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -162,17 +162,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne
-
-#### Attack Commands: Run with `powershell`!
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
-```powershell
-PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
@@ -187,17 +204,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+#{adfind_path} -sc admincountdmp
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
@@ -212,17 +246,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+#{adfind_path} -f (objectcategory=person)
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
@@ -237,17 +288,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+#{adfind_path} -sc exchaddresses
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index edd18a78..186c2deb 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -192,7 +192,7 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
## Atomic Test #6 - Change Powershell Execution Policy to Bypass
-Attackers needs to change the powershell execution policy in order to run their malicious powershell scripts.
+Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
They can either specify it during the execution of the powershell script or change the registry value for it.
**Supported Platforms:** Windows
diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md
index d6df6e9e..f5d5b0ab 100644
--- a/atomics/T1482/T1482.md
+++ b/atomics/T1482/T1482.md
@@ -139,17 +139,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+#{adfind_path} -f (objectcategory=organizationalUnit)
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
@@ -164,17 +181,34 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
+
#### Attack Commands: Run with `command_prompt`!
```cmd
-PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+#{adfind_path} -gcb -sc trustdmp
```
+#### Dependencies: Run with `powershell`!
+##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
+```
+
+
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index d58f4b21..7552b80a 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -607,3 +607,8 @@ e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
5e2938fb-f919-47b6-8b29-2f6a1f718e99
d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
15fe436d-e771-4ff3-b655-2dca9ba52834
+686a9785-f99b-41d4-90df-66ed515f81d7
+1c0a870f-dc74-49cf-9afc-eccc45e58790
+86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+0d181431-ddf3-4826-8055-2dbf63ae848b
+f3a6cceb-06c9-48e5-8df8-8867a6814245