security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

move adfind to external resource (#2464)

Browse Source
This commit is contained in:
Carrie Roberts
2023-06-15 14:40:50 -07:00
committed by GitHub
parent 868f5477f6
commit 32a4415e43
6 changed files with 52 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1016/T1016.yaml
+5 -10
View File
@@ -137,23 +137,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -f (objectcategory=subnet)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet)
name: command_prompt
- name: Qakbot Recon
atomics/T1018/T1018.yaml
+10 -20
View File
@@ -198,23 +198,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -f (objectcategory=computer)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer)
name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
@@ -223,23 +218,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -sc dclist
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist
name: command_prompt
- name: Remote System Discovery - ip neighbour
atomics/T1069.002/T1069.002.yaml
+5 -10
View File
@@ -115,24 +115,19 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -f (objectcategory=group)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group)
name: command_prompt
- name: Enumerate Active Directory Groups with Get-AdGroup
auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
atomics/T1087.002/T1087.002.yaml
+22 -50
View File
@@ -74,23 +74,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
@@ -99,23 +94,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -sc admincountdmp
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
@@ -124,23 +114,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -f (objectcategory=person)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person)
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
@@ -149,23 +134,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -sc exchaddresses
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses
name: command_prompt
- name: Enumerate Default Domain Admin Details (Domain)
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
@@ -379,16 +359,12 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to adfind
type: string
default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe
domain:
description: Domain of the host
type: string
default: $env:USERDOMAIN
executor:
command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" *'
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" *'
cleanup_command:
name: powershell
elevation_required: false
@@ -399,16 +375,12 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to adfind
type: string
default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe
domain:
description: Domain of the host
type: string
default: $env:USERDOMAIN
executor:
command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
cleanup_command:
name: powershell
elevation_required: false
atomics/T1087.002/src/AdFind.exe
BIN
View File
Binary file not shown.
atomics/T1482/T1482.yaml
+10 -20
View File
@@ -70,23 +70,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -f (objectcategory=organizationalUnit)
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit)
name: command_prompt
- name: Adfind - Enumerate Active Directory Trusts
auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
@@ -95,23 +90,18 @@ atomic_tests:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (#{adfind_path})
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe
executor:
command: |
#{adfind_path} -gcb -sc trustdmp
PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp
name: command_prompt
- name: Get-DomainTrust with PowerView