* Added the "-c" option to adfind commands. This will cause it to print a
count of the returned objects instead of the actual objects. This is
very useful for large environments and allows it run quicker without
actually exposing any sensitive information.
* Adding the code to allow specifying optional arguments at runtime instead of hardcoding the -c to allow more flexibility per this request:
https://github.com/redcanaryco/atomic-red-team/pull/2645#pullrequestreview-1795339526
---------
Co-authored-by: dwhite <n/a>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: dwhite9 <n@a>
* rearrange to have success exit code
* default to current user
* Update T1069.002.yaml
---------
Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com>
* adding linux client test to T1069.002 AD tests
* changed prereq for packages
* temp removing prereq
* adding first prereq
* prereq fails
* trying elevated permissions
* alright, no prereq
* Revert "temp removing prereq"
This reverts commit 3bc8ef5fb22dc09fa1ca2ad5282cbdbaf55280de.
* should work now
* removing prereq entirely
* correct dependency_executor
* adding prereq check for all packages
* adding input arg for password
* changing command to autoinclude password
* back to original command, starting work on 1078
* back to original command, starting work on 1078
* putting echo on command for runner to see arguments supplied
* continuing work on 1078
* first attempt at T1078.002
* removed extraneous code
* temp remove cleanup
* removed flag on echo
* updated first comand
* updating input variable ref
* removing flag again
* updating ou
* attempting to change ou to cn
* new uid
* explictely defining dc
* more attempts
* changed uid
* removed first uid
* trying without num
* changing cn back to ou
* change case
* fixed dc
* removing second dc ref
* following IBM guide
* removed extraneous space
* space between userpassword
* reintroducing dc
* added echo
* trying something new
* updated echo
* adding back admin user input
* attempting default
* trying add to previous group
* revert back to just admin user
* missed #
* adding back -x
* making ou and cn match
* attempting to match search style
* removing space
* improved formatting
* simplified
* replacing authentication
* -D object
* reintroduced admin user
* fixed top level domain
* return to old
* holding breath
* setting user to just person type
* removing uid from front
* changing dc
* trying to update cn
* update cn
* changing to object form... again
* chat gpt wrote this
* added cleanup
* updating command
* removed space
* added space
* revert from object
* looking into issues with cleanup command being unable to find user (yet it already exists)
* changed ldapdelete to ldapmodify
* updating temporary user name
* fixing typo in cleanup command
* creating new yaml file for T1136, similar to T1078. Future plans to modify T1078.002 to either run a process or elevate a user
* first attempt at creating domain admin
* changing CN to Domain Admins
* improved formatting (getting error 32)
* changing ldif file echo
* ldapadd to ldapmodify
* adding domain admins domain if it doesn't exist
* redo formatting
* removing create domain admin group
* trying ldapadd again
* updating prereq commands, removing admin requirement from ldapsearchs
* adding linux client test to T1069.002 AD tests
* changed prereq for packages
* temp removing prereq
* adding first prereq
* prereq fails
* trying elevated permissions
* alright, no prereq
* Revert "temp removing prereq"
This reverts commit 3bc8ef5fb22dc09fa1ca2ad5282cbdbaf55280de.
* should work now
* removing prereq entirely
* correct dependency_executor
* adding prereq check for all packages
* adding input arg for password
* changing command to autoinclude password
* back to original command, starting work on 1078
* back to original command, starting work on 1078
* putting echo on command for runner to see arguments supplied
* continuing work on 1078
* first attempt at T1078.002
* removed extraneous code
* temp remove cleanup
* removed flag on echo
* updated first comand
* updating input variable ref
* removing flag again
* updating ou
* attempting to change ou to cn
* new uid
* explictely defining dc
* more attempts
* changed uid
* removed first uid
* trying without num
* changing cn back to ou
* change case
* fixed dc
* removing second dc ref
* following IBM guide
* removed extraneous space
* space between userpassword
* reintroducing dc
* added echo
* trying something new
* updated echo
* adding back admin user input
* attempting default
* trying add to previous group
* revert back to just admin user
* missed #
* adding back -x
* making ou and cn match
* attempting to match search style
* removing space
* improved formatting
* simplified
* replacing authentication
* -D object
* reintroduced admin user
* fixed top level domain
* return to old
* holding breath
* setting user to just person type
* removing uid from front
* changing dc
* trying to update cn
* update cn
* changing to object form... again
* chat gpt wrote this
* added cleanup
* updating command
* removed space
* added space
* revert from object
* looking into issues with cleanup command being unable to find user (yet it already exists)
* changed ldapdelete to ldapmodify
* updating temporary user name
* fixing typo in cleanup command
* creating new yaml file for T1136, similar to T1078. Future plans to modify T1078.002 to either run a process or elevate a user
* first attempt at creating domain admin
* changing CN to Domain Admins
* improved formatting (getting error 32)
* changing ldif file echo
* ldapadd to ldapmodify
* adding domain admins domain if it doesn't exist
* redo formatting
* removing create domain admin group
* trying ldapadd again
* updating prereq commands, removing admin requirement from ldapsearchs
* small changes to search parameters
* changed Domains search to search for Domain Users
* added objectClass=group flag
* separating flag from string
* removing T1078, to be done in future
* added {cleartext} to admin password
* restoring deleted file. My antivirus really hates this file...
* update for spec
* update to spec
* adding name to atomic test
* moved from deprecated -h -p flags to -H flag
* fix cleanup commands with same flag changes
* add ldap://
* removing unused input variable, domain controller
* final commit, all tests passed with -H, updating the desc of T1136.002/4
---------
Co-authored-by: Hare Sudhan <code@0x6c.dev>
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.
This also fixes some white space issues and general line formatting across all impacted atomics.
* fix: One additional change needed
---------
Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* Updated format of input_argument types for Url
* Updated type for input_arguments to Url (missed)
* Updating Path type for input_arguments
* Updated String type for input_arguments
* Missed a few Strings and Url types
* Updated default values for input_arguments to align with their types
* Updated Integer type for input_arguments
* Updated formatting and spacing of atomics
* Update T1204.002.md
Added lines to each test using IWR for invoke-webrequest to set the acceptable TLS versions for the commands to complete successfully by prepending the tests with
```[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12```
* Update T1555.yaml
added line to set ssl/tls version
* Update T1134.001.yaml
updated IWR lines to allow ssl/tls version 1.2
* Update T1069.002.yaml
added lines to every IWR instance to set ssl/tls version to 1.2
* Update T1558.003.yaml
added line to allow TLS/SSL 1.2
* Update T1033.yaml
added command to enable SSL/TLS v1.2
* Update T1055.012.yaml
added command to enable TLS/SSL v1.2
* Update T1115.yaml
Added command to enable SSL/TLS v1.2
* Update T1070.001.yaml
added command enabling SSL/TLS v 1.2
* Update T1564.yaml
added commands to enable SSL/TLS v 1.2
* Update T1566.001.yaml
added command to enable SSL/TLS V1.2
* Update T1135.yaml
added command to enable SSL/TLS v1.2
* Update T1055.yaml
added commands to enable TLS/SSL v 1.2
* Update T1110.003.yaml
added command to enable TLS/SSL v1.2
* Update T1003.yaml
Added command to enable TLS/SSL v1.2
* Update T1053.005.yaml
added command to enable TLS/SSL v1.2
* Update T1003.001.yaml
added commands to enable TLS/SSL v1.2 for any command using invoke-webrequest
* Update T1069.002.yaml
syntax correction
* Update T1134.001.yaml
syntax correction
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
* spelling update and new test
minor spelling update and adding in test for enterprise admins group enumeration
* couple more syntax updates
couple more syntax updates
* Updating cmdline abbreviation
these are valid cmdline abbreviations. I was too quick to update :)
* Clean up swp
cleaning up swap file
* putting back original discovery commands
* one last change
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Ransomware actors leverage adfind to perform Active Directory recon. These tests cover most of the behaviors observed via public threat intelligence sources
Co-authored-by: Jimmy Astle <jastle@vmware.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Seth Cahalan