From 20e304c5163fb5f05ab423c9209551c60d1cce06 Mon Sep 17 00:00:00 2001 From: tccontre <26181693+tccontre@users.noreply.github.com> Date: Fri, 29 Apr 2022 23:18:53 +0200 Subject: [PATCH] enumeration of active directory organization unit and root domain (#1907) * Update T1112.yaml * Update T1112.yaml * typos * Update T1087.002.yaml * Update T1087.002.yaml * Update T1087.002.yaml Co-authored-by: Carrie Roberts --- atomics/T1087.002/T1087.002.yaml | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index 79f6cdf7..febf8ca6 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -238,4 +238,30 @@ atomic_tests: name: powershell elevation_required: false command: | - ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne() \ No newline at end of file + ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne() +- name: Enumerate Linked Policies In ADSISearcher Discovery + auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be + description: | + The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. + Upon successful execution a listing of users will output with their paths in AD. + Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + (([adsisearcher]’(objectcategory=organizationalunit)’).FindAll()).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] OU Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }} +- name: Enumerate Root Domain linked policies Discovery + auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4 + description: | + The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. + Upon successful execution a listing of users will output with their paths in AD. + Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + (([adsisearcher]’’).SearchRooT).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] Domain Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }}