Merge branch 'master' into patch-4

atomics/Indexes/Indexes-CSV/index.csv

@@ -1528,6 +1528,7 @@ discovery,T1087.002,Account Discovery: Domain Account,20,Suspicious LAPS Attribu
 discovery,T1087.002,Account Discovery: Domain Account,21,Suspicious LAPS Attributes Query with adfind all properties,abf00f6c-9983-4d9a-afbc-6b1c6c6448e1,powershell
 discovery,T1087.002,Account Discovery: Domain Account,22,Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd,51a98f96-0269-4e09-a10f-e307779a8b05,powershell
 discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
+discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -314,6 +314,7 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
 credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
+discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
 discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh

atomics/Indexes/Indexes-Markdown/index.md

@@ -2163,6 +2163,7 @@
   - Atomic Test #21: Suspicious LAPS Attributes Query with adfind all properties [windows]
   - Atomic Test #22: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd [windows]
   - Atomic Test #23: Active Directory Domain Search [linux]
+  - Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
   - Atomic Test #2: View sudoers access [linux, macos]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -604,6 +604,7 @@
 - T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
   - Atomic Test #23: Active Directory Domain Search [linux]
+  - Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
 - [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
   - Atomic Test #2: View sudoers access [linux, macos]

atomics/Indexes/index.yaml

@@ -91473,6 +91473,49 @@ discovery:
 
           '
         name: sh
+    - name: Account Enumeration with LDAPDomainDump
+      auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f
+      description: |
+        This test uses LDAPDomainDump to perform account enumeration on a domain.
+        [Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        username:
+          description: Username and domain to authenticate with
+          type: string
+          default: domain\user
+        target_ip:
+          description: IP to connect to
+          type: string
+          default: 127.0.0.1
+        password:
+          description: Password to authenticate with
+          type: string
+          default: password
+      dependency_executor_name: sh
+      dependencies:
+      - description: Python3 must be installed
+        prereq_command: if [ -x "$(command -v python3 --version)" ]; then exit 0;
+          else exit 1; fi;
+        get_prereq_command: sudo apt-get -y install python3
+      - description: Pip must be installed
+        prereq_command: if [ -x "$(command -v pip --version)" ]; then exit 0; else
+          exit 1; fi;
+        get_prereq_command: |-
+          wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
+          python3 /tmp/get-pip.py
+      - description: The ldapdomaindump module must be installed
+        prereq_command: python3 -c 'import ldapdomaindump' 2>/dev/null
+        get_prereq_command: pip install ldapdomaindump
+      - description: The future module must be installed
+        prereq_command: python3 -c 'import future' 2>/dev/null
+        get_prereq_command: pip install future
+      executor:
+        command: 'ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087'
+        cleanup_command: "rm -rf /tmp/T1087/ 2>/dev/null \n"
+        name: sh
+        elevation_required: false
   T1087.001:
     technique:
       modified: '2023-04-13T17:20:22.867Z'

atomics/Indexes/linux-index.yaml

@@ -55795,6 +55795,49 @@ discovery:
 
           '
         name: sh
+    - name: Account Enumeration with LDAPDomainDump
+      auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f
+      description: |
+        This test uses LDAPDomainDump to perform account enumeration on a domain.
+        [Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
+      supported_platforms:
+      - linux
+      input_arguments:
+        username:
+          description: Username and domain to authenticate with
+          type: string
+          default: domain\user
+        target_ip:
+          description: IP to connect to
+          type: string
+          default: 127.0.0.1
+        password:
+          description: Password to authenticate with
+          type: string
+          default: password
+      dependency_executor_name: sh
+      dependencies:
+      - description: Python3 must be installed
+        prereq_command: if [ -x "$(command -v python3 --version)" ]; then exit 0;
+          else exit 1; fi;
+        get_prereq_command: sudo apt-get -y install python3
+      - description: Pip must be installed
+        prereq_command: if [ -x "$(command -v pip --version)" ]; then exit 0; else
+          exit 1; fi;
+        get_prereq_command: |-
+          wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
+          python3 /tmp/get-pip.py
+      - description: The ldapdomaindump module must be installed
+        prereq_command: python3 -c 'import ldapdomaindump' 2>/dev/null
+        get_prereq_command: pip install ldapdomaindump
+      - description: The future module must be installed
+        prereq_command: python3 -c 'import future' 2>/dev/null
+        get_prereq_command: pip install future
+      executor:
+        command: 'ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087'
+        cleanup_command: "rm -rf /tmp/T1087/ 2>/dev/null \n"
+        name: sh
+        elevation_required: false
   T1087.001:
     technique:
       modified: '2023-04-13T17:20:22.867Z'

atomics/T1087.002/T1087.002.md

@@ -52,6 +52,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #23 - Active Directory Domain Search](#atomic-test-23---active-directory-domain-search)
 
+- [Atomic Test #24 - Account Enumeration with LDAPDomainDump](#atomic-test-24---account-enumeration-with-ldapdomaindump)
+
 
 <br/>
 
@@ -902,4 +904,84 @@ echo ldapsearch not found
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #24 - Account Enumeration with LDAPDomainDump
+This test uses LDAPDomainDump to perform account enumeration on a domain.
+[Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a54d497e-8dbe-4558-9895-44944baa395f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Username and domain to authenticate with | string | domain&#92;user|
+| target_ip | IP to connect to | string | 127.0.0.1|
+| password | Password to authenticate with | string | password|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
+```
+
+#### Cleanup Commands:
+```sh
+rm -rf /tmp/T1087/ 2>/dev/null
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Python3 must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install python3
+```
+##### Description: Pip must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
+python3 /tmp/get-pip.py
+```
+##### Description: The ldapdomaindump module must be installed
+##### Check Prereq Commands:
+```sh
+python3 -c 'import ldapdomaindump' 2>/dev/null
+```
+##### Get Prereq Commands:
+```sh
+pip install ldapdomaindump
+```
+##### Description: The future module must be installed
+##### Check Prereq Commands:
+```sh
+python3 -c 'import future' 2>/dev/null
+```
+##### Get Prereq Commands:
+```sh
+pip install future
+```
+
+
+
+
 <br/>

atomics/T1087.002/T1087.002.yaml

@@ -425,3 +425,45 @@ atomic_tests:
     command: |
       ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
     name: sh
+- name: Account Enumeration with LDAPDomainDump
+  auto_generated_guid: a54d497e-8dbe-4558-9895-44944baa395f
+  description: |
+    This test uses LDAPDomainDump to perform account enumeration on a domain.
+    [Reference](https://securityonline.info/ldapdomaindump-active-directory-information-dumper-via-ldap/)
+  supported_platforms:
+  - linux
+  input_arguments:
+    username:
+      description: Username and domain to authenticate with
+      type: string
+      default: domain\user
+    target_ip:
+      description: IP to connect to
+      type: string
+      default: 127.0.0.1
+    password:
+      description: Password to authenticate with
+      type: string
+      default: password
+  dependency_executor_name: sh
+  dependencies:
+  - description: Python3 must be installed
+    prereq_command: if [ -x "$(command -v python3 --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: sudo apt-get -y install python3
+  - description: Pip must be installed
+    prereq_command: if [ -x "$(command -v pip --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |-
+      wget -O /tmp/get-pip.py https://bootstrap.pypa.io/pip/3.6/get-pip.py
+      python3 /tmp/get-pip.py
+  - description: The ldapdomaindump module must be installed
+    prereq_command: python3 -c 'import ldapdomaindump' 2>/dev/null
+    get_prereq_command: pip install ldapdomaindump
+  - description: The future module must be installed
+    prereq_command: python3 -c 'import future' 2>/dev/null
+    get_prereq_command: pip install future
+  executor:
+    command: 'ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087'
+    cleanup_command: |
+      rm -rf /tmp/T1087/ 2>/dev/null 
+    name: sh
+    elevation_required: false

atomics/used_guids.txt

@@ -1508,3 +1508,4 @@ eb5adf16-b601-4926-bca7-dad22adffb37
 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6
 e544bbcb-c4e0-4bd0-b614-b92131635f59
 c26fb85a-fa50-4fab-a64a-c51f5dc538d5
+a54d497e-8dbe-4558-9895-44944baa395f