diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index cc5b184d..bb8b88e9 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -137,23 +137,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -f (objectcategory=subnet) + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=subnet) name: command_prompt - name: Qakbot Recon diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 1c591090..a51d1b75 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -198,23 +198,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -f (objectcategory=computer) + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=computer) name: command_prompt - name: Adfind - Enumerate Active Directory Domain Controller Objects auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e @@ -223,23 +218,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -sc dclist + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc dclist name: command_prompt - name: Remote System Discovery - ip neighbour diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml index 0188e78f..807d1f76 100644 --- a/atomics/T1069.002/T1069.002.yaml +++ b/atomics/T1069.002/T1069.002.yaml @@ -115,24 +115,19 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -f (objectcategory=group) + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=group) name: command_prompt - name: Enumerate Active Directory Groups with Get-AdGroup auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index 0f4f6225..909dc3e0 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -74,23 +74,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties name: command_prompt - name: Adfind - Enumerate Active Directory Admins auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a @@ -99,23 +94,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -sc admincountdmp + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc admincountdmp name: command_prompt - name: Adfind - Enumerate Active Directory User Objects auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 @@ -124,23 +114,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -f (objectcategory=person) + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=person) name: command_prompt - name: Adfind - Enumerate Active Directory Exchange AD Objects auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 @@ -149,23 +134,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -sc exchaddresses + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -sc exchaddresses name: command_prompt - name: Enumerate Default Domain Admin Details (Domain) auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef @@ -379,16 +359,12 @@ atomic_tests: supported_platforms: - windows input_arguments: - adfind_path: - description: Path to adfind - type: string - default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe domain: description: Domain of the host type: string default: $env:USERDOMAIN executor: - command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" *' + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" *' cleanup_command: name: powershell elevation_required: false @@ -399,16 +375,12 @@ atomic_tests: supported_platforms: - windows input_arguments: - adfind_path: - description: Path to adfind - type: string - default: C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe domain: description: Domain of the host type: string default: $env:USERDOMAIN executor: - command: '#{adfind_path} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' + command: 'PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime' cleanup_command: name: powershell elevation_required: false \ No newline at end of file diff --git a/atomics/T1087.002/src/AdFind.exe b/atomics/T1087.002/src/AdFind.exe deleted file mode 100644 index 1cfe1c99..00000000 Binary files a/atomics/T1087.002/src/AdFind.exe and /dev/null differ diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml index d0205711..03297877 100644 --- a/atomics/T1482/T1482.yaml +++ b/atomics/T1482/T1482.yaml @@ -70,23 +70,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -f (objectcategory=organizationalUnit) + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -f (objectcategory=organizationalUnit) name: command_prompt - name: Adfind - Enumerate Active Directory Trusts auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 @@ -95,23 +90,18 @@ atomic_tests: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows - input_arguments: - adfind_path: - description: Path to the AdFind executable - type: path - default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: - description: | - AdFind.exe must exist on disk at specified location (#{adfind_path}) + AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | - if (Test-Path #{adfind_path}) {exit 0} else {exit 1} + if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) {exit 0} else {exit 1} get_prereq_command: | - New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} + New-Item -Type Directory (split-path PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) -ErrorAction ignore | Out-Null + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe executor: command: | - #{adfind_path} -gcb -sc trustdmp + PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe -gcb -sc trustdmp name: command_prompt - name: Get-DomainTrust with PowerView