From b52d11fd82659c36441add667dbaf504c1fa429d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= <clement@notin.org>
Date: Thu, 25 Jun 2020 23:43:24 +0200
Subject: [PATCH] T1482: add PowerView dependency & RSAT notes (#1041)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1482/T1482.yaml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml
index 39487e1a..1934b788 100644
--- a/atomics/T1482/T1482.yaml
+++ b/atomics/T1482/T1482.yaml
@@ -20,6 +20,13 @@ atomic_tests:
     This technique has been used by the Trickbot malware family.
   supported_platforms:
   - windows
+  dependencies:
+  - description: |
+      nltest.exe from RSAT must be present on disk
+    prereq_command: |
+      WHERE nltest.exe >NUL 2>&1
+    get_prereq_command: |
+      echo Sorry RSAT must be installed manually
   executor:
     command: |
       nltest /domain_trusts
@@ -27,11 +34,27 @@ atomic_tests:
 - name: Powershell enumerate domains and forests
   auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30
   description: |
-    Use powershell to enumerate AD information
+    Use powershell to enumerate AD information.
+    Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.
   supported_platforms:
   - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      PowerView PowerShell script must exist on disk
+    prereq_command: |
+      if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1"
+  - description: |
+      RSAT PowerShell AD admin cmdlets must be installed
+    prereq_command: |
+      if ((Get-Command "Get-ADDomain") -And (Get-Command "Get-ADGroupMember")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      Write-Host "Sorry RSAT must be installed manually"
   executor:
     command: |
+      Import-Module "$env:TEMP\PowerView.ps1"
       Get-NetDomainTrust
       Get-NetForestTrust
       Get-ADDomain