security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-12-27 17:58:55 +00:00
parent 06ebf05785
commit e1164d3054
7 changed files with 264 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+100 -9
View File
@@ -92069,6 +92069,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -92082,9 +92089,9 @@ discovery:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s
base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage
minpwdage minpwdlength pwdhistorylength pwdproperties
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-default -s base lockoutduration lockoutthreshold lockoutobservationwindow
maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
'
name: command_prompt
@@ -92095,6 +92102,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -92109,6 +92123,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp
#{optional_args}
'
name: command_prompt
@@ -92119,6 +92134,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -92133,6 +92155,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person)
#{optional_args}
'
name: command_prompt
@@ -92143,6 +92166,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -92157,6 +92187,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses
#{optional_args}
'
name: command_prompt
@@ -92406,13 +92437,19 @@ discovery:
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain}
-s subtree -f "objectclass=computer" *
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-h #{domain} -s subtree -f "objectclass=computer" *
'
cleanup_command:
@@ -92425,13 +92462,19 @@ discovery:
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain}
-s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
'
cleanup_command:
@@ -93129,6 +93172,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -93144,6 +93194,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group)
#{optional_args}
'
name: command_prompt
@@ -95891,6 +95942,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -95905,6 +95963,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet)
#{optional_args}
'
name: command_prompt
@@ -96185,6 +96244,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -96199,6 +96265,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit)
#{optional_args}
'
name: command_prompt
@@ -96209,6 +96276,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -96222,7 +96296,8 @@ discovery:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -gcb -sc trustdmp
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-gcb -sc trustdmp
'
name: command_prompt
@@ -98753,6 +98828,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -98767,6 +98849,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer)
#{optional_args}
'
name: command_prompt
@@ -98777,6 +98860,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -98790,7 +98880,8 @@ discovery:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-sc dclist
'
name: command_prompt
atomics/Indexes/windows-index.yaml
+100 -9
View File
@@ -75471,6 +75471,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -75484,9 +75491,9 @@ discovery:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s
base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage
minpwdage minpwdlength pwdhistorylength pwdproperties
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-default -s base lockoutduration lockoutthreshold lockoutobservationwindow
maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
'
name: command_prompt
@@ -75497,6 +75504,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -75511,6 +75525,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp
#{optional_args}
'
name: command_prompt
@@ -75521,6 +75536,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -75535,6 +75557,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person)
#{optional_args}
'
name: command_prompt
@@ -75545,6 +75568,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -75559,6 +75589,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses
#{optional_args}
'
name: command_prompt
@@ -75808,13 +75839,19 @@ discovery:
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain}
-s subtree -f "objectclass=computer" *
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-h #{domain} -s subtree -f "objectclass=computer" *
'
cleanup_command:
@@ -75827,13 +75864,19 @@ discovery:
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
domain:
description: Domain of the host
type: string
default: "$env:USERDOMAIN"
executor:
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain}
-s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
'
cleanup_command:
@@ -76252,6 +76295,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -76267,6 +76317,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group)
#{optional_args}
'
name: command_prompt
@@ -77962,6 +78013,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -77976,6 +78034,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet)
#{optional_args}
'
name: command_prompt
@@ -78236,6 +78295,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -78250,6 +78316,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit)
#{optional_args}
'
name: command_prompt
@@ -78260,6 +78327,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -78273,7 +78347,8 @@ discovery:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -gcb -sc trustdmp
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-gcb -sc trustdmp
'
name: command_prompt
@@ -80227,6 +80302,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -80241,6 +80323,7 @@ discovery:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer)
#{optional_args}
'
name: command_prompt
@@ -80251,6 +80334,13 @@ discovery:
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor
it to the specific needs of the environment. Use "-arg" notation to add
arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
@@ -80264,7 +80354,8 @@ discovery:
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist
command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args}
-sc dclist
'
name: command_prompt
atomics/T1016/T1016.md
+6 -1
View File
@@ -264,12 +264,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
```
atomics/T1018/T1018.md
+12 -2
View File
@@ -411,12 +411,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
```
@@ -453,12 +458,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
```
atomics/T1069.002/T1069.002.md
+6 -1
View File
@@ -291,12 +291,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args}
```
atomics/T1087.002/T1087.002.md
+28 -6
View File
@@ -214,12 +214,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
```
@@ -256,12 +261,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
```
@@ -298,12 +308,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
```
@@ -340,12 +355,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
```
@@ -808,6 +828,7 @@ This test executes LDAP query using adfind command and lists all the attributes
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
| domain | Domain of the host | string | $env:USERDOMAIN|
@@ -815,7 +836,7 @@ This test executes LDAP query using adfind command and lists all the attributes
```powershell
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
```
@@ -841,6 +862,7 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
| domain | Domain of the host | string | $env:USERDOMAIN|
@@ -848,7 +870,7 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr
```powershell
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
```
atomics/T1482/T1482.md
+12 -2
View File
@@ -164,12 +164,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit)
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) #{optional_args}
```
@@ -206,12 +211,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -gcb -sc trustdmp
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -gcb -sc trustdmp
```