diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 30204dc5..f9c526c6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -95465,26 +95465,24 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold - lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength - pwdproperties\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base + lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage + minpwdlength pwdhistorylength pwdproperties + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Admins auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a @@ -95493,24 +95491,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -sc admincountdmp\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp + + ' name: command_prompt - name: Adfind - Enumerate Active Directory User Objects auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 @@ -95519,24 +95515,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=person)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person) + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Exchange AD Objects auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 @@ -95545,24 +95539,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -sc exchaddresses\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses + + ' name: command_prompt - name: Enumerate Default Domain Admin Details (Domain) auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef @@ -95812,17 +95804,13 @@ discovery: supported_platforms: - windows input_arguments: - adfind_path: - description: Path to adfind - type: string - default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" - *' + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} + -s subtree -f "objectclass=computer" *' cleanup_command: name: powershell elevation_required: false @@ -95833,17 +95821,13 @@ discovery: supported_platforms: - windows input_arguments: - adfind_path: - description: Path to adfind - type: string - default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" - ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} + -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' cleanup_command: name: powershell elevation_required: false @@ -96480,25 +96464,23 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=group)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group) + + ' name: command_prompt - name: Enumerate Active Directory Groups with Get-AdGroup auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 @@ -98781,24 +98763,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=subnet)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet) + + ' name: command_prompt - name: Qakbot Recon auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b @@ -99075,24 +99055,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit) + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Trusts auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 @@ -99101,24 +99079,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -gcb -sc trustdmp\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp + + ' name: command_prompt - name: Get-DomainTrust with PowerView auto_generated_guid: f974894c-5991-4b19-aaf5-7cc2fe298c5d @@ -101453,24 +101429,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=computer)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer) + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Domain Controller Objects auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e @@ -101479,24 +101453,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -sc dclist\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist + + ' name: command_prompt - name: Remote System Discovery - ip neighbour auto_generated_guid: 158bd4dd-6359-40ab-b13c-285b9ef6fa25 diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 107b32b9..cda58652 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -82691,26 +82691,24 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold - lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength - pwdproperties\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base + lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage + minpwdlength pwdhistorylength pwdproperties + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Admins auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a @@ -82719,24 +82717,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -sc admincountdmp\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp + + ' name: command_prompt - name: Adfind - Enumerate Active Directory User Objects auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 @@ -82745,24 +82741,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=person)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person) + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Exchange AD Objects auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 @@ -82771,24 +82765,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -sc exchaddresses\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses + + ' name: command_prompt - name: Enumerate Default Domain Admin Details (Domain) auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef @@ -83038,17 +83030,13 @@ discovery: supported_platforms: - windows input_arguments: - adfind_path: - description: Path to adfind - type: string - default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" - *' + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} + -s subtree -f "objectclass=computer" *' cleanup_command: name: powershell elevation_required: false @@ -83059,17 +83047,13 @@ discovery: supported_platforms: - windows input_arguments: - adfind_path: - description: Path to adfind - type: string - default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" - ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} + -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' cleanup_command: name: powershell elevation_required: false @@ -83532,25 +83516,23 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=group)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group) + + ' name: command_prompt - name: Enumerate Active Directory Groups with Get-AdGroup auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 @@ -85112,24 +85094,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=subnet)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet) + + ' name: command_prompt - name: Qakbot Recon auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b @@ -85386,24 +85366,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit) + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Trusts auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 @@ -85412,24 +85390,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -gcb -sc trustdmp\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp + + ' name: command_prompt - name: Get-DomainTrust with PowerView auto_generated_guid: f974894c-5991-4b19-aaf5-7cc2fe298c5d @@ -87257,24 +87233,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -f (objectcategory=computer)\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer) + + ' name: command_prompt - name: Adfind - Enumerate Active Directory Domain Controller Objects auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e @@ -87283,24 +87257,22 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) + - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ' - prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) + {exit 0} else {exit 1} ' get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: - command: "#{adfind_path} -sc dclist\n" + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist + + ' name: command_prompt - name: Enumerate domain computers within Active Directory using DirectorySearcher auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 83d9b5ca..bc70f289 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -264,32 +264,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -f (objectcategory=subnet) +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet) ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 44cc0cb3..8febe27a 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -409,32 +409,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -f (objectcategory=computer) +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer) ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` @@ -456,32 +451,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -sc dclist +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 4cc61dc2..f3372616 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -289,33 +289,28 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -f (objectcategory=group) +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group) ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 132d8f23..06a7738b 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -210,32 +210,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` @@ -257,32 +252,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -sc admincountdmp +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` @@ -304,32 +294,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -f (objectcategory=person) +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person) ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` @@ -351,32 +336,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -sc exchaddresses +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` @@ -822,7 +802,6 @@ This test executes LDAP query using adfind command and lists all the attributes #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| adfind_path | Path to adfind | string | C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe| | domain | Domain of the host | string | $env:USERDOMAIN| @@ -830,7 +809,7 @@ This test executes LDAP query using adfind command and lists all the attributes ```powershell -#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" * +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" * ``` @@ -856,7 +835,6 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| adfind_path | Path to adfind | string | C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe| | domain | Domain of the host | string | $env:USERDOMAIN| @@ -864,7 +842,7 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr ```powershell -#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime ``` diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 7d58fc27..6457def0 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -164,32 +164,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -f (objectcategory=organizationalUnit) +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit) ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ``` @@ -211,32 +206,27 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| adfind_path | Path to the AdFind executable | path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| - #### Attack Commands: Run with `command_prompt`! ```cmd -#{adfind_path} -gcb -sc trustdmp +PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp ``` #### Dependencies: Run with `powershell`! -##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) +##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell -New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null -Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} +New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null +Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe ```