Inital Commit for adfind Ryuk tests (#1275)

Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources Co-authored-by: Jimmy Astle <jastle@vmware.com> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-11-04 10:24:13 -05:00
parent bf4bbbb82a
commit 6a686bea42
5 changed files with 95 additions and 0 deletions
@@ -122,4 +122,15 @@ atomic_tests:
    cleanup_command: |
      Remove-Item -ErrorAction ignore "#{output_file}"
    name: powershell
+- name: Adfind - Enumerate Active Directory Subnet Objects
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=subnet)
+    name: command_prompt
+

@@ -178,4 +178,25 @@ atomic_tests:
      adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
    name: command_prompt
    elevation_required: true
+- name: Adfind - Enumerate Active Directory Computer Objects
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=computer)
+    name: command_prompt
+- name: Adfind - Enumerate Active Directory Domain Controller Objects
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -sc dclist
+    name: command_prompt
+
    
@@ -103,3 +103,14 @@ atomic_tests:
    elevation_required: false
    command: |
      get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
+- name: Adfind - Query Active Directory Groups
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=group)
+    name: command_prompt
+
@@ -78,3 +78,34 @@ atomic_tests:
    command: |
      PathToAtomicsFolder\T1087.002\src\AdFind -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
    name: powershell
+- name: Adfind - Enumerate Active Directory Admins
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -sc admincountdmp
+    name: command_prompt
+- name: Adfind - Enumerate Active Directory User Objects
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=person)
+    name: command_prompt
+- name: Adfind - Enumerate Active Directory Exchange AD Objects
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -sc exchaddresses
+    name: command_prompt
+
@@ -60,4 +60,25 @@ atomic_tests:
      Get-ADDomain
      Get-ADGroupMember Administrators -Recursive
    name: powershell
+- name: Adfind - Enumerate Active Directory OUs
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -f (objectcategory=organizationalUnit)
+    name: command_prompt
+- name: Adfind - Enumerate Active Directory Trusts
+  description: | 
+    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
+    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      PathToAtomicsFolder\T1087.002\src\AdFind -gcb -sc trustdmp
+    name: command_prompt
+