security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

enumeration of active directory organization unit and root domain (#1907)

Browse Source 
* Update T1112.yaml

* Update T1112.yaml

* typos

* Update T1087.002.yaml

* Update T1087.002.yaml

* Update T1087.002.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
tccontre
2022-04-29 23:18:53 +02:00
committed by GitHub
parent a082fb047a
commit 20e304c516
1 changed files with 27 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1087.002/T1087.002.yaml
+27 -1
View File
@@ -238,4 +238,30 @@ atomic_tests:
name: powershell
elevation_required: false
command: |
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
- name: Enumerate Linked Policies In ADSISearcher Discovery
auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
description: |
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
(([adsisearcher](objectcategory=organizationalunit)).FindAll()).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] OU Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }}
- name: Enumerate Root Domain linked policies Discovery
auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
description: |
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
(([adsisearcher]’’).SearchRooT).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] Domain Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }}