T1087 automated ad recon (ad recon) (#1004)

* write test

* update cleanup

* refer to input arg

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1087/T1087.yaml

@@ -196,3 +196,36 @@ atomic_tests:
     elevation_required: false
     command: |
       query user
+
+- name: Automated AD Recon (ADRecon)
+  description: |
+    ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its
+    path will be displayed.
+
+  supported_platforms:
+    - windows
+  
+  input_arguments:
+    adrecon_path:
+      description: Path of ADRecon.ps1 file
+      type: Path
+      default: $env:TEMP\ADRecon.ps1
+
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+       ADRecon must exist on disk at specified location (#{adrecon_path})
+      prereq_command: |
+        if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path}
+
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Invoke-Expression #{adrecon_path}
+    cleanup_command: |
+      Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
+      Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
+