security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-06-15 21:42:03 +00:00
parent 32a4415e43
commit 282a250cc9
7 changed files with 224 additions and 332 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+86 -114
View File
@@ -95465,26 +95465,24 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
pwdproperties\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base
lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage
minpwdlength pwdhistorylength pwdproperties
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
@@ -95493,24 +95491,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -sc admincountdmp\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp
'
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
@@ -95519,24 +95515,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=person)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person)
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
@@ -95545,24 +95539,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -sc exchaddresses\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses
'
name: command_prompt
- name: Enumerate Default Domain Admin Details (Domain)
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
@@ -95812,17 +95804,13 @@ discovery:
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to adfind
type: string
default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer"
*'
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain}
-s subtree -f "objectclass=computer" *'
cleanup_command:
name: powershell
elevation_required: false
@@ -95833,17 +95821,13 @@ discovery:
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to adfind
type: string
default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer"
ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain}
-s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
cleanup_command:
name: powershell
elevation_required: false
@@ -96480,25 +96464,23 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=group)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group)
'
name: command_prompt
- name: Enumerate Active Directory Groups with Get-AdGroup
auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
@@ -98781,24 +98763,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=subnet)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet)
'
name: command_prompt
- name: Qakbot Recon
auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
@@ -99075,24 +99055,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit)
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Trusts
auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
@@ -99101,24 +99079,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -gcb -sc trustdmp\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp
'
name: command_prompt
- name: Get-DomainTrust with PowerView
auto_generated_guid: f974894c-5991-4b19-aaf5-7cc2fe298c5d
@@ -101453,24 +101429,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=computer)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer)
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
@@ -101479,24 +101453,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -sc dclist\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist
'
name: command_prompt
- name: Remote System Discovery - ip neighbour
auto_generated_guid: 158bd4dd-6359-40ab-b13c-285b9ef6fa25
atomics/Indexes/windows-index.yaml
+86 -114
View File
@@ -82691,26 +82691,24 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
pwdproperties\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base
lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage
minpwdlength pwdhistorylength pwdproperties
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
@@ -82719,24 +82717,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -sc admincountdmp\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp
'
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
@@ -82745,24 +82741,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=person)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person)
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
@@ -82771,24 +82765,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -sc exchaddresses\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses
'
name: command_prompt
- name: Enumerate Default Domain Admin Details (Domain)
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
@@ -83038,17 +83030,13 @@ discovery:
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to adfind
type: string
default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer"
*'
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain}
-s subtree -f "objectclass=computer" *'
cleanup_command:
name: powershell
elevation_required: false
@@ -83059,17 +83047,13 @@ discovery:
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to adfind
type: string
default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer"
ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain}
-s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
cleanup_command:
name: powershell
elevation_required: false
@@ -83532,25 +83516,23 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=group)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group)
'
name: command_prompt
- name: Enumerate Active Directory Groups with Get-AdGroup
auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
@@ -85112,24 +85094,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=subnet)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet)
'
name: command_prompt
- name: Qakbot Recon
auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
@@ -85386,24 +85366,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit)
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Trusts
auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
@@ -85412,24 +85390,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -gcb -sc trustdmp\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp
'
name: command_prompt
- name: Get-DomainTrust with PowerView
auto_generated_guid: f974894c-5991-4b19-aaf5-7cc2fe298c5d
@@ -87257,24 +87233,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -f (objectcategory=computer)\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer)
'
name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
@@ -87283,24 +87257,22 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
'
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
{exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: "#{adfind_path} -sc dclist\n"
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist
'
name: command_prompt
- name: Enumerate domain computers within Active Directory using DirectorySearcher
auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
atomics/T1016/T1016.md
+5 -10
View File
@@ -264,32 +264,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=subnet)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
atomics/T1018/T1018.md
+10 -20
View File
@@ -409,32 +409,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=computer)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
@@ -456,32 +451,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -sc dclist
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
atomics/T1069.002/T1069.002.md
+5 -10
View File
@@ -289,33 +289,28 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=group)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
atomics/T1087.002/T1087.002.md
+22 -44
View File
@@ -210,32 +210,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
@@ -257,32 +252,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -sc admincountdmp
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
@@ -304,32 +294,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=person)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
@@ -351,32 +336,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -sc exchaddresses
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
@@ -822,7 +802,6 @@ This test executes LDAP query using adfind command and lists all the attributes
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to adfind | string | C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe|
| domain | Domain of the host | string | $env:USERDOMAIN|
@@ -830,7 +809,7 @@ This test executes LDAP query using adfind command and lists all the attributes
```powershell
#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" *
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" *
```
@@ -856,7 +835,6 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to adfind | string | C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe|
| domain | Domain of the host | string | $env:USERDOMAIN|
@@ -864,7 +842,7 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr
```powershell
#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
```
atomics/T1482/T1482.md
+10 -20
View File
@@ -164,32 +164,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -f (objectcategory=organizationalUnit)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit)
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```
@@ -211,32 +206,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{adfind_path} -gcb -sc trustdmp
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp
```
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
```