From 2ef8ebdcf1243cf76f96c7920d7aa5eb38840485 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 4 Nov 2020 15:24:54 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/Indexes-CSV/index.csv | 9 ++ atomics/Indexes/Indexes-CSV/windows-index.csv | 9 ++ atomics/Indexes/Indexes-Markdown/index.md | 9 ++ .../Indexes/Indexes-Markdown/windows-index.md | 9 ++ atomics/Indexes/index.yaml | 108 ++++++++++++++++++ atomics/T1016/T1016.md | 27 +++++ atomics/T1016/T1016.yaml | 1 + atomics/T1018/T1018.md | 54 +++++++++ atomics/T1018/T1018.yaml | 2 + atomics/T1069.002/T1069.002.md | 27 +++++ atomics/T1069.002/T1069.002.yaml | 1 + atomics/T1087.002/T1087.002.md | 81 +++++++++++++ atomics/T1087.002/T1087.002.yaml | 3 + atomics/T1482/T1482.md | 54 +++++++++ atomics/T1482/T1482.yaml | 2 + atomics/used_guids.txt | 9 ++ 16 files changed, 405 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index d7c5e659..e1365cdc 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -497,6 +497,9 @@ discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Doma discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell +discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt +discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt +discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt @@ -504,9 +507,12 @@ discovery,T1069.002,Domain Groups,4,Find machines where user has local admin acc discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell +discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell +discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt +discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell discovery,T1083,File and Directory Discovery,3,Nix File and Diectory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh @@ -556,6 +562,8 @@ discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6 discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt +discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt +discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps,ba62ce11-e820-485f-9c17-6f3c857cd840,sh @@ -580,6 +588,7 @@ discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall R discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell +discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b4de4515..fd8864e1 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -309,6 +309,9 @@ discovery,T1087.002,Domain Account,2,Enumerate all accounts via PowerShell (Doma discovery,T1087.002,Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt discovery,T1087.002,Domain Account,4,Automated AD Recon (ADRecon),95018438-454a-468c-a0fa-59c800149b59,powershell discovery,T1087.002,Domain Account,5,Adfind -Listing password policy,736b4f53-f400-4c22-855d-1a6b5a551600,powershell +discovery,T1087.002,Domain Account,6,Adfind - Enumerate Active Directory Admins,b95fd967-4e62-4109-b48d-265edfd28c3a,command_prompt +discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Objects,e1ec8d20-509a-4b9a-b820-06c9b2da8eb7,command_prompt +discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt @@ -316,9 +319,12 @@ discovery,T1069.002,Domain Groups,4,Find machines where user has local admin acc discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain (PowerView),a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd,powershell discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell +discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell +discovery,T1482,Domain Trust Discovery,4,Adfind - Enumerate Active Directory OUs,d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec,command_prompt +discovery,T1482,Domain Trust Discovery,5,Adfind - Enumerate Active Directory Trusts,15fe436d-e771-4ff3-b655-2dca9ba52834,command_prompt discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt @@ -345,6 +351,8 @@ discovery,T1018,Remote System Discovery,4,Remote System Discovery - ping sweep,6 discovery,T1018,Remote System Discovery,5,Remote System Discovery - arp,2d5a61f5-0447-4be4-944a-1f8530ed6574,command_prompt discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa01aaa-5e13-45ec-8a0d-e46c93c9760f,powershell discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt +discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt +discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell discovery,T1518.001,Security Software Discovery,4,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt @@ -359,6 +367,7 @@ discovery,T1016,System Network Configuration Discovery,1,System Network Configur discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell +discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 149df96d..d575cdea 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -910,6 +910,9 @@ - Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows] - Atomic Test #4: Automated AD Recon (ADRecon) [windows] - Atomic Test #5: Adfind -Listing password policy [windows] + - Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows] + - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows] + - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] @@ -918,10 +921,13 @@ - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows] - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows] - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows] + - Atomic Test #8: Adfind - Query Active Directory Groups [windows] - [T1482 Domain Trust Discovery](../../T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] - Atomic Test #3: Powershell enumerate domains and forests [windows] + - Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows] + - Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows] - T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1083 File and Directory Discovery](../../T1083/T1083.md) - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows] @@ -984,6 +990,8 @@ - Atomic Test #7: Remote System Discovery - sweep [linux, macos] - Atomic Test #8: Remote System Discovery - nslookup [windows] - Atomic Test #9: Remote System Discovery - adidnsdump [windows] + - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows] + - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows] - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] @@ -1013,6 +1021,7 @@ - Atomic Test #3: System Network Configuration Discovery [macos, linux] - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] + - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 84a6293e..9f6dd5b5 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -594,6 +594,9 @@ - Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows] - Atomic Test #4: Automated AD Recon (ADRecon) [windows] - Atomic Test #5: Adfind -Listing password policy [windows] + - Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows] + - Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows] + - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] @@ -602,10 +605,13 @@ - Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows] - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows] - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows] + - Atomic Test #8: Adfind - Query Active Directory Groups [windows] - [T1482 Domain Trust Discovery](../../T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] - Atomic Test #3: Powershell enumerate domains and forests [windows] + - Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows] + - Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows] - T1087.003 Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1083 File and Directory Discovery](../../T1083/T1083.md) - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows] @@ -645,6 +651,8 @@ - Atomic Test #5: Remote System Discovery - arp [windows] - Atomic Test #8: Remote System Discovery - nslookup [windows] - Atomic Test #9: Remote System Discovery - adidnsdump [windows] + - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows] + - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows] - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] @@ -664,6 +672,7 @@ - Atomic Test #2: List Windows Firewall Rules [windows] - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] + - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 7b48694a..8a128f08 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -39104,6 +39104,42 @@ discovery: ' name: powershell + - name: Adfind - Enumerate Active Directory Admins + auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts + reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp + +' + name: command_prompt + - name: Adfind - Enumerate Active Directory User Objects + auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person) + +' + name: command_prompt + - name: Adfind - Enumerate Active Directory Exchange AD Objects + auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses + +' + name: command_prompt T1069.002: technique: external_references: @@ -39272,6 +39308,18 @@ discovery: -eq $TRUE} ' + - name: Adfind - Query Active Directory Groups + auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group) + +' + name: command_prompt T1482: technique: created: '2019-02-14T16:15:05.974Z' @@ -39419,6 +39467,30 @@ discovery: Get-ADDomain Get-ADGroupMember Administrators -Recursive name: powershell + - name: Adfind - Enumerate Active Directory OUs + auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit) + +' + name: command_prompt + - name: Adfind - Enumerate Active Directory Trusts + auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp + +' + name: command_prompt T1087.003: technique: external_references: @@ -41077,6 +41149,30 @@ discovery: ' name: command_prompt elevation_required: true + - name: Adfind - Enumerate Active Directory Computer Objects + auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4 + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer) + +' + name: command_prompt + - name: Adfind - Enumerate Active Directory Domain Controller Objects + auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist + +' + name: command_prompt T1518.001: technique: external_references: @@ -41773,6 +41869,18 @@ discovery: ' name: powershell + - name: Adfind - Enumerate Active Directory Subnet Objects + auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee + description: | + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects + reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + supported_platforms: + - windows + executor: + command: 'PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet) + +' + name: command_prompt T1049: technique: object_marking_refs: diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 4078350d..447bb76e 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -16,6 +16,8 @@ Adversaries may use the information from [System Network Configuration Discovery - [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports) +- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects) +
@@ -206,4 +208,29 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" +
+
+ +## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet) +``` + + + + + +
diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index ac3a8998..1c1ea07b 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -123,6 +123,7 @@ atomic_tests: Remove-Item -ErrorAction ignore "#{output_file}" name: powershell - name: Adfind - Enumerate Active Directory Subnet Objects + auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 8a1f959d..24b999a0 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -26,6 +26,10 @@ Within IaaS (Infrastructure as a Service) environments, remote systems include i - [Atomic Test #9 - Remote System Discovery - adidnsdump](#atomic-test-9---remote-system-discovery---adidnsdump) +- [Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10---adfind---enumerate-active-directory-computer-objects) + +- [Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11---adfind---enumerate-active-directory-domain-controller-objects) +
@@ -327,4 +331,54 @@ pip3 install adidnsdump +
+
+ +## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer) +``` + + + + + + +
+
+ +## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist +``` + + + + + +
diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 36f443ea..74af1256 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -179,6 +179,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects + auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html @@ -189,6 +190,7 @@ atomic_tests: PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer) name: command_prompt - name: Adfind - Enumerate Active Directory Domain Controller Objects + auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 11a224f7..712f54a0 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -20,6 +20,8 @@ Commands such as net group /domain of the [Net](https://attack.mitr - [Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)](#atomic-test-7---enumerate-users-not-requiring-pre-auth-asreproast) +- [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups) +
@@ -227,4 +229,29 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1. +
+
+ +## Atomic Test #8 - Adfind - Query Active Directory Groups +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group) +``` + + + + + +
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml index 294a3cdc..46fe5d81 100644 --- a/atomics/T1069.002/T1069.002.yaml +++ b/atomics/T1069.002/T1069.002.yaml @@ -104,6 +104,7 @@ atomic_tests: command: | get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} - name: Adfind - Query Active Directory Groups + auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 7754e432..f119a26d 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -16,6 +16,12 @@ Commands such as net user /domain and net group /domain @@ -169,4 +175,79 @@ PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockou +
+
+ +## Atomic Test #6 - Adfind - Enumerate Active Directory Admins +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts +reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp +``` + + + + + + +
+
+ +## Atomic Test #7 - Adfind - Enumerate Active Directory User Objects +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person) +``` + + + + + + +
+
+ +## Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses +``` + + + + + +
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index 49423c21..0e4b56e3 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -79,6 +79,7 @@ atomic_tests: PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties name: powershell - name: Adfind - Enumerate Active Directory Admins + auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ @@ -89,6 +90,7 @@ atomic_tests: PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp name: command_prompt - name: Adfind - Enumerate Active Directory User Objects + auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html @@ -99,6 +101,7 @@ atomic_tests: PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person) name: command_prompt - name: Adfind - Enumerate Active Directory Exchange AD Objects + auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index a1237139..d6df6e9e 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -10,6 +10,10 @@ - [Atomic Test #3 - Powershell enumerate domains and forests](#atomic-test-3---powershell-enumerate-domains-and-forests) +- [Atomic Test #4 - Adfind - Enumerate Active Directory OUs](#atomic-test-4---adfind---enumerate-active-directory-ous) + +- [Atomic Test #5 - Adfind - Enumerate Active Directory Trusts](#atomic-test-5---adfind---enumerate-active-directory-trusts) +
@@ -123,4 +127,54 @@ Write-Host "Sorry RSAT must be installed manually" +
+
+ +## Atomic Test #4 - Adfind - Enumerate Active Directory OUs +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit) +``` + + + + + + +
+
+ +## Atomic Test #5 - Adfind - Enumerate Active Directory Trusts +Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts +reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp +``` + + + + + +
diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml index 10fb05f9..ffd2b62b 100644 --- a/atomics/T1482/T1482.yaml +++ b/atomics/T1482/T1482.yaml @@ -61,6 +61,7 @@ atomic_tests: Get-ADGroupMember Administrators -Recursive name: powershell - name: Adfind - Enumerate Active Directory OUs + auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html @@ -71,6 +72,7 @@ atomic_tests: PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit) name: command_prompt - name: Adfind - Enumerate Active Directory Trusts + auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 9ed6e811..d58f4b21 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -598,3 +598,12 @@ f7536d63-7fd4-466f-89da-7e48d550752a 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a f373b482-48c8-4ce4-85ed-d40c8b3f7310 79d57242-bbef-41db-b301-9d01d9f6e817 +9bb45dd7-c466-4f93-83a1-be30e56033ee +a889f5be-2d54-4050-bd05-884578748bb4 +5838c31e-a0e2-4b9f-b60a-d79d2cb7995e +48ddc687-82af-40b7-8472-ff1e742e8274 +b95fd967-4e62-4109-b48d-265edfd28c3a +e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 +5e2938fb-f919-47b6-8b29-2f6a1f718e99 +d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec +15fe436d-e771-4ff3-b655-2dca9ba52834