Generated docs from job=generate-docs branch=master [ci skip]

2022-04-29 21:19:24 +00:00
parent 389f4d13f0
commit a0c2520962
6 changed files with 109 additions and 1 deletions
@@ -854,6 +854,8 @@ discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Dom
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
 discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
+discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
+discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -591,6 +591,8 @@ discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Dom
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
 discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
 discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
+discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell
+discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -1369,6 +1369,8 @@
  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
  - Atomic Test #11: Get-DomainUser with PowerView [windows]
  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
+  - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
+  - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -983,6 +983,8 @@
  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
  - Atomic Test #11: Get-DomainUser with PowerView [windows]
  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
+  - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows]
+  - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -58688,7 +58688,43 @@ discovery:
      executor:
        name: powershell
        elevation_required: false
-        command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+        command: '([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+
+          '
+    - name: Enumerate Linked Policies In ADSISearcher Discovery
+      auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "(([adsisearcher]’(objectcategory=organizationalunit)’).FindAll()).Path
+          | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] OU Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink)
+          -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host
+          “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host
+          “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName}
+          };Write-Output “`n” }}\n"
+    - name: Enumerate Root Domain linked policies Discovery
+      auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "(([adsisearcher]’’).SearchRooT).Path | %{if(([ADSI]”$_”).gPlink){Write-Host
+          “[+] Domain Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]”
+          -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy
+          Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host
+          “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName}
+          };Write-Output “`n” }}\n"
  T1069.002:
    technique:
      type: attack-pattern
@@ -30,6 +30,10 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-12---enumerate-active-directory-users-with-adsisearcher)

+- [Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery](#atomic-test-13---enumerate-linked-policies-in-adsisearcher-discovery)
+
+- [Atomic Test #14 - Enumerate Root Domain linked policies Discovery](#atomic-test-14---enumerate-root-domain-linked-policies-discovery)
+

 <br/>

@@ -504,4 +508,64 @@ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearc



+<br/>
+<br/>
+
+## Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery
+The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7ab0205a-34e4-4a44-9b04-e1541d1a57be
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+(([adsisearcher]’(objectcategory=organizationalunit)’).FindAll()).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] OU Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }}
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Enumerate Root Domain linked policies Discovery
+The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 00c652e2-0750-4ca6-82ff-0204684a6fe4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+(([adsisearcher]’’).SearchRooT).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] Domain Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }}
+```
+
+
+
+
+
+
 <br/>