Unclear PathToAtomicsFolder variable usage

[ablescia]

I have a problem when I try to run the atomic T1087.002(Account Discovery: Domain Account) test. This atomic uses the ADFind tool to enumerate the domain accounts.

I installed on the target machine (where is installed also the sandcat agent) the atomic-red-team atomics at C:\AtomicRedTeam\atomics path.

Using caldera, I configured the ability with the PathToAtomicsFolder\T1087.002\bin\AdFind.exe -sc admincountdmp command but when I ran the command I received the The system cannot find the path specified. error message.

In fact, using the ProcMon tool on the target machine I saw that the sandcat agent ran the wrong command cmd.exe /C PathToAtomicsFolder\T1087.002\bin\AdFind.exe -sc admincountdmp otherwise cmd.exe /C C:\AtomicRedTeam\atomics\T1087.002\bin\AdFind.exe -sc admincountdmp.

Why caldera doesn't apply the variable substitution? Where I'm wrong? I want to use this feature to avoid to use the absolute path.

P.S.: If I write the command with the absolute path, it works perfectly.
P.S.: I have read the documentation about this variable in the README file but I can't solve my problem.

Regards,

[ablescia]

Update: I added Adfind.exe to the payloads folder of the atomic plugin. After that, I changed the ability by selecting AdFind.exe from the payloads list and updated the command with .\AdFind.exe -sc admincountdmp.

In this case I'm not use the PathToAtomicsFolder variable but it works. Is this the correct way?

Thanks.

[clenk]

Hi @ablescia, apologies for the delayed response. See from the readme that this plugin only resolves "$PathToAtomicsFolder usages pointing to an existing file[s]". So if AdFind.exe doesn't exist there yet, that might be causing the issue. This comment on another issue suggests you have to run the preqeq commands before this plugin would work.