From a0c252096269175fd1fb73ccbc5dddb8f17bfcdb Mon Sep 17 00:00:00 2001 From: Atomic Red Team doc generator Date: Fri, 29 Apr 2022 21:19:24 +0000 Subject: [PATCH] Generated docs from job=generate-docs branch=master [ci skip] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 38 ++++++++++- atomics/T1087.002/T1087.002.md | 64 +++++++++++++++++++ 6 files changed, 109 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5499636d..c91d647c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -854,6 +854,8 @@ discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Dom discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell +discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell +discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 692aced5..9f4db0da 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -591,6 +591,8 @@ discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Dom discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell +discovery,T1087.002,Domain Account,13,Enumerate Linked Policies In ADSISearcher Discovery,7ab0205a-34e4-4a44-9b04-e1541d1a57be,powershell +discovery,T1087.002,Domain Account,14,Enumerate Root Domain linked policies Discovery,00c652e2-0750-4ca6-82ff-0204684a6fe4,powershell discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3ae99a6c..b6cf22e2 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1369,6 +1369,8 @@ - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] - Atomic Test #11: Get-DomainUser with PowerView [windows] - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows] + - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows] + - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 7cf3428c..1c65b577 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -983,6 +983,8 @@ - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows] - Atomic Test #11: Get-DomainUser with PowerView [windows] - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows] + - Atomic Test #13: Enumerate Linked Policies In ADSISearcher Discovery [windows] + - Atomic Test #14: Enumerate Root Domain linked policies Discovery [windows] - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md) - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows] - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index a248ada0..9b145f5f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -58688,7 +58688,43 @@ discovery: executor: name: powershell elevation_required: false - command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne() + command: '([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne() + + ' + - name: Enumerate Linked Policies In ADSISearcher Discovery + auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be + description: | + The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. + Upon successful execution a listing of users will output with their paths in AD. + Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: "(([adsisearcher]’(objectcategory=organizationalunit)’).FindAll()).Path + | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] OU Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) + -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host + “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host + “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} + };Write-Output “`n” }}\n" + - name: Enumerate Root Domain linked policies Discovery + auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4 + description: | + The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. + Upon successful execution a listing of users will output with their paths in AD. + Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: "(([adsisearcher]’’).SearchRooT).Path | %{if(([ADSI]”$_”).gPlink){Write-Host + “[+] Domain Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” + -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy + Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host + “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} + };Write-Output “`n” }}\n" T1069.002: technique: type: attack-pattern diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 8c53c827..1e0db388 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -30,6 +30,10 @@ Commands such as net user /domain and net group /domain @@ -504,4 +508,64 @@ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearc +
+
+ +## Atomic Test #13 - Enumerate Linked Policies In ADSISearcher Discovery +The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. +Upon successful execution a listing of users will output with their paths in AD. +Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 7ab0205a-34e4-4a44-9b04-e1541d1a57be + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +(([adsisearcher]’(objectcategory=organizationalunit)’).FindAll()).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] OU Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }} +``` + + + + + + +
+
+ +## Atomic Test #14 - Enumerate Root Domain linked policies Discovery +The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory. +Upon successful execution a listing of users will output with their paths in AD. +Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81 + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 00c652e2-0750-4ca6-82ff-0204684a6fe4 + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +(([adsisearcher]’’).SearchRooT).Path | %{if(([ADSI]”$_”).gPlink){Write-Host “[+] Domain Path:”([ADSI]”$_”).Path;$a=((([ADSI]”$_”).gplink) -replace “[[;]” -split “]”);for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host “Policy Path[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host “Policy Name[$i]:”([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output “`n” }} +``` + + + + + +