Generate docs from job=validate_atomics_generate_docs branch=master

2020-11-04 15:24:54 +00:00
parent 6a686bea42
commit 2ef8ebdcf1
16 changed files with 405 additions and 0 deletions
@@ -497,6 +497,9 @@ discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Doma
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
 discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
 discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
+discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
+discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
+discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -504,9 +507,12 @@ discovery,T1069.002,Domain Groups,4,Find machines where user has local admin acc
 discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
+discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
+discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
+discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
 discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
 discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
 discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
@@ -556,6 +562,8 @@ discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6
 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
 discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
+discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
+discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -580,6 +588,7 @@ discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall R
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
+discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
@@ -309,6 +309,9 @@ discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Doma
 discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
 discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell
 discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell
+discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt
+discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt
+discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -316,9 +319,12 @@ discovery,T1069.002,Domain Groups,4,Find machines where user has local admin acc
 discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
+discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
+discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt
+discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt
 discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
 discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
 discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
@@ -345,6 +351,8 @@ discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6
 discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt
 discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
+discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
+discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -359,6 +367,7 @@ discovery,T1016,System Network Configuration Discovery,1,System Network Configur
 discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt
 discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt
 discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell
+discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt
 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt
@@ -910,6 +910,9 @@
  - Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
  - Atomic Test #4: Automated AD Recon (ADRecon) [windows]
  - Atomic Test #5: Adfind -Listing password policy [windows]
+  - Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
+  - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
+  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -918,10 +921,13 @@
  - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
  - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
  - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
+  - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
  - Atomic Test #3: Powershell enumerate domains and forests [windows]
+  - Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
+  - Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
  - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
@@ -984,6 +990,8 @@
  - Atomic Test #7: Remote System Discovery - sweep [linux, macos]
  - Atomic Test #8: Remote System Discovery - nslookup [windows]
  - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
+  - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
+  - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1013,6 +1021,7 @@
  - Atomic Test #3: System Network Configuration Discovery [macos, linux]
  - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
  - Atomic Test #5: List Open Egress Ports [windows]
+  - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -594,6 +594,9 @@
  - Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
  - Atomic Test #4: Automated AD Recon (ADRecon) [windows]
  - Atomic Test #5: Adfind -Listing password policy [windows]
+  - Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
+  - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
+  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -602,10 +605,13 @@
  - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
  - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
  - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
+  - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
  - Atomic Test #3: Powershell enumerate domains and forests [windows]
+  - Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
+  - Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
  - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
@@ -645,6 +651,8 @@
  - Atomic Test #5: Remote System Discovery - arp [windows]
  - Atomic Test #8: Remote System Discovery - nslookup [windows]
  - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
+  - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
+  - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -664,6 +672,7 @@
  - Atomic Test #2: List Windows Firewall Rules [windows]
  - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
  - Atomic Test #5: List Open Egress Ports [windows]
+  - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
 - [T1049 System Network Connections Discovery](../../T1049/T1049.md)
  - Atomic Test #1: System Network Connections Discovery [windows]
  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
@@ -39104,6 +39104,42 @@ discovery:

 '
        name: powershell
+    - name: Adfind - Enumerate Active Directory Admins
+      auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+
+'
+        name: command_prompt
+    - name: Adfind - Enumerate Active Directory User Objects
+      auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+
+'
+        name: command_prompt
+    - name: Adfind - Enumerate Active Directory Exchange AD Objects
+      auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+
+'
+        name: command_prompt
  T1069.002:
    technique:
      external_references:
@@ -39272,6 +39308,18 @@ discovery:
          -eq $TRUE}

 '
+    - name: Adfind - Query Active Directory Groups
+      auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+
+'
+        name: command_prompt
  T1482:
    technique:
      created: '2019-02-14T16:15:05.974Z'
@@ -39419,6 +39467,30 @@ discovery:
          Get-ADDomain
          Get-ADGroupMember Administrators -Recursive
        name: powershell
+    - name: Adfind - Enumerate Active Directory OUs
+      auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+
+'
+        name: command_prompt
+    - name: Adfind - Enumerate Active Directory Trusts
+      auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+
+'
+        name: command_prompt
  T1087.003:
    technique:
      external_references:
@@ -41077,6 +41149,30 @@ discovery:
 '
        name: command_prompt
        elevation_required: true
+    - name: Adfind - Enumerate Active Directory Computer Objects
+      auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+
+'
+        name: command_prompt
+    - name: Adfind - Enumerate Active Directory Domain Controller Objects
+      auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+
+'
+        name: command_prompt
  T1518.001:
    technique:
      external_references:
@@ -41773,6 +41869,18 @@ discovery:

 '
        name: powershell
+    - name: Adfind - Enumerate Active Directory Subnet Objects
+      auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
+      description: |
+        Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
+        reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+
+'
+        name: command_prompt
  T1049:
    technique:
      object_marking_refs:
@@ -16,6 +16,8 @@ Adversaries may use the information from [System Network Configuration Discovery

 - [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)

+- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)
+

 <br/>

@@ -206,4 +208,29 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"



+<br/>
+<br/>
+
+## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+```
+
+
+
+
+
+
 <br/>
@@ -123,6 +123,7 @@ atomic_tests:
      Remove-Item -ErrorAction ignore "#{output_file}"
    name: powershell
 - name: Adfind - Enumerate Active Directory Subnet Objects
+  auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -26,6 +26,10 @@ Within IaaS (Infrastructure as a Service) environments, remote systems include i

 - [Atomic Test #9 - Remote System Discovery - adidnsdump](#atomic-test-9---remote-system-discovery---adidnsdump)

+- [Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10---adfind---enumerate-active-directory-computer-objects)
+
+- [Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11---adfind---enumerate-active-directory-domain-controller-objects)
+

 <br/>

@@ -327,4 +331,54 @@ pip3 install adidnsdump



+<br/>
+<br/>
+
+## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+```
+
+
+
+
+
+
 <br/>
@@ -179,6 +179,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true
 - name: Adfind - Enumerate Active Directory Computer Objects
+  auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -189,6 +190,7 @@ atomic_tests:
      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
    name: command_prompt
 - name: Adfind - Enumerate Active Directory Domain Controller Objects
+  auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -20,6 +20,8 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr

 - [Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)](#atomic-test-7---enumerate-users-not-requiring-pre-auth-asreproast)

+- [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)
+

 <br/>

@@ -227,4 +229,29 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.



+<br/>
+<br/>
+
+## Atomic Test #8 - Adfind - Query Active Directory Groups
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+```
+
+
+
+
+
+
 <br/>
@@ -104,6 +104,7 @@ atomic_tests:
    command: |
      get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
 - name: Adfind - Query Active Directory Groups
+  auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -16,6 +16,12 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #5 - Adfind -Listing password policy](#atomic-test-5---adfind--listing-password-policy)

+- [Atomic Test #6 - Adfind - Enumerate Active Directory Admins](#atomic-test-6---adfind---enumerate-active-directory-admins)
+
+- [Atomic Test #7 - Adfind - Enumerate Active Directory User Objects](#atomic-test-7---adfind---enumerate-active-directory-user-objects)
+
+- [Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects](#atomic-test-8---adfind---enumerate-active-directory-exchange-ad-objects)
+

 <br/>

@@ -169,4 +175,79 @@ PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockou



+<br/>
+<br/>
+
+## Atomic Test #6 - Adfind - Enumerate Active Directory Admins
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
+reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Adfind - Enumerate Active Directory User Objects
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+```
+
+
+
+
+
+
 <br/>
@@ -79,6 +79,7 @@ atomic_tests:
      PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
    name: powershell
 - name: Adfind - Enumerate Active Directory Admins
+  auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
    reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
@@ -89,6 +90,7 @@ atomic_tests:
      PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
    name: command_prompt
 - name: Adfind - Enumerate Active Directory User Objects
+  auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -99,6 +101,7 @@ atomic_tests:
      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
    name: command_prompt
 - name: Adfind - Enumerate Active Directory Exchange AD Objects
+  auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -10,6 +10,10 @@

 - [Atomic Test #3 - Powershell enumerate domains and forests](#atomic-test-3---powershell-enumerate-domains-and-forests)

+- [Atomic Test #4 - Adfind - Enumerate Active Directory OUs](#atomic-test-4---adfind---enumerate-active-directory-ous)
+
+- [Atomic Test #5 - Adfind - Enumerate Active Directory Trusts](#atomic-test-5---adfind---enumerate-active-directory-trusts)
+

 <br/>

@@ -123,4 +127,54 @@ Write-Host "Sorry RSAT must be installed manually"



+<br/>
+<br/>
+
+## Atomic Test #4 - Adfind - Enumerate Active Directory OUs
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Adfind - Enumerate Active Directory Trusts
+Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
+reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+
+**Supported Platforms:** Windows
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+```
+
+
+
+
+
+
 <br/>
@@ -61,6 +61,7 @@ atomic_tests:
      Get-ADGroupMember Administrators -Recursive
    name: powershell
 - name: Adfind - Enumerate Active Directory OUs
+  auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -71,6 +72,7 @@ atomic_tests:
      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
    name: command_prompt
 - name: Adfind - Enumerate Active Directory Trusts
+  auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
  description: | 
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
@@ -598,3 +598,12 @@ f7536d63-7fd4-466f-89da-7e48d550752a
 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
 f373b482-48c8-4ce4-85ed-d40c8b3f7310
 79d57242-bbef-41db-b301-9d01d9f6e817
+9bb45dd7-c466-4f93-83a1-be30e56033ee
+a889f5be-2d54-4050-bd05-884578748bb4
+5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
+48ddc687-82af-40b7-8472-ff1e742e8274
+b95fd967-4e62-4109-b48d-265edfd28c3a
+e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
+5e2938fb-f919-47b6-8b29-2f6a1f718e99
+d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
+15fe436d-e771-4ff3-b655-2dca9ba52834