diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 73cc43df..ae3e0d18 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -92069,6 +92069,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -92082,9 +92089,9 @@ discovery: New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: - command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s - base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage - minpwdage minpwdlength pwdhistorylength pwdproperties + command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -default -s base lockoutduration lockoutthreshold lockoutobservationwindow + maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties ' name: command_prompt @@ -92095,6 +92102,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -92109,6 +92123,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp + #{optional_args} ' name: command_prompt @@ -92119,6 +92134,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -92133,6 +92155,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) + #{optional_args} ' name: command_prompt @@ -92143,6 +92166,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -92157,6 +92187,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses + #{optional_args} ' name: command_prompt @@ -92406,13 +92437,19 @@ discovery: supported_platforms: - windows input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} - -s subtree -f "objectclass=computer" * + command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -h #{domain} -s subtree -f "objectclass=computer" * ' cleanup_command: @@ -92425,13 +92462,19 @@ discovery: supported_platforms: - windows input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} - -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime + command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime ' cleanup_command: @@ -93129,6 +93172,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -93144,6 +93194,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) + #{optional_args} ' name: command_prompt @@ -95891,6 +95942,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -95905,6 +95963,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) + #{optional_args} ' name: command_prompt @@ -96185,6 +96244,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -96199,6 +96265,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) + #{optional_args} ' name: command_prompt @@ -96209,6 +96276,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -96222,7 +96296,8 @@ discovery: New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: - command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -gcb -sc trustdmp + command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -gcb -sc trustdmp ' name: command_prompt @@ -98753,6 +98828,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -98767,6 +98849,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) + #{optional_args} ' name: command_prompt @@ -98777,6 +98860,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -98790,7 +98880,8 @@ discovery: New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: - command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist + command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -sc dclist ' name: command_prompt diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index 3be34bf1..22dd450a 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -75471,6 +75471,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -75484,9 +75491,9 @@ discovery: New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: - command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s - base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage - minpwdage minpwdlength pwdhistorylength pwdproperties + command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -default -s base lockoutduration lockoutthreshold lockoutobservationwindow + maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties ' name: command_prompt @@ -75497,6 +75504,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -75511,6 +75525,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp + #{optional_args} ' name: command_prompt @@ -75521,6 +75536,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -75535,6 +75557,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) + #{optional_args} ' name: command_prompt @@ -75545,6 +75568,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -75559,6 +75589,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses + #{optional_args} ' name: command_prompt @@ -75808,13 +75839,19 @@ discovery: supported_platforms: - windows input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} - -s subtree -f "objectclass=computer" * + command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -h #{domain} -s subtree -f "objectclass=computer" * ' cleanup_command: @@ -75827,13 +75864,19 @@ discovery: supported_platforms: - windows input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: domain: description: Domain of the host type: string default: "$env:USERDOMAIN" executor: - command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} - -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime + command: '& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime ' cleanup_command: @@ -76252,6 +76295,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -76267,6 +76317,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) + #{optional_args} ' name: command_prompt @@ -77962,6 +78013,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -77976,6 +78034,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) + #{optional_args} ' name: command_prompt @@ -78236,6 +78295,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -78250,6 +78316,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) + #{optional_args} ' name: command_prompt @@ -78260,6 +78327,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -78273,7 +78347,8 @@ discovery: New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: - command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -gcb -sc trustdmp + command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -gcb -sc trustdmp ' name: command_prompt @@ -80227,6 +80302,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -80241,6 +80323,7 @@ discovery: Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) + #{optional_args} ' name: command_prompt @@ -80251,6 +80334,13 @@ discovery: reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows + input_arguments: + optional_args: + description: Allows defining arguments to add to the adfind command to tailor + it to the specific needs of the environment. Use "-arg" notation to add + arguments separated by spaces. + type: string + default: dependency_executor_name: powershell dependencies: - description: 'AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) @@ -80264,7 +80354,8 @@ discovery: New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: - command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist + command: '"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} + -sc dclist ' name: command_prompt diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 5f0431ae..9a713509 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -264,12 +264,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args} ``` diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index b3cd1cee..becca5c1 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -411,12 +411,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args} ``` @@ -453,12 +458,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist ``` diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index aaeb2830..5e230c2e 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -291,12 +291,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args} ``` diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 169b1fdc..bd269f61 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -214,12 +214,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties ``` @@ -256,12 +261,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args} ``` @@ -298,12 +308,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args} ``` @@ -340,12 +355,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args} ``` @@ -808,6 +828,7 @@ This test executes LDAP query using adfind command and lists all the attributes #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | | domain | Domain of the host | string | $env:USERDOMAIN| @@ -815,7 +836,7 @@ This test executes LDAP query using adfind command and lists all the attributes ```powershell -& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} -s subtree -f "objectclass=computer" * +& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" * ``` @@ -841,6 +862,7 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | | domain | Domain of the host | string | $env:USERDOMAIN| @@ -848,7 +870,7 @@ This test executes LDAP query using adfind command and lists Microsoft LAPS attr ```powershell -& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime +& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime ``` diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 73cb5f79..20fede9d 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -164,12 +164,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) #{optional_args} ``` @@ -206,12 +211,17 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | | + #### Attack Commands: Run with `command_prompt`! ```cmd -"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -gcb -sc trustdmp +"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -gcb -sc trustdmp ```