adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
atomic-red-team-gs/atomics/T1016/T1016.yaml
T
dwhite9 06ebf05785 Added the "-c" option to adfind commands. (#2645) 
* Added the "-c" option to adfind commands. This will cause it to print a
count of the returned objects instead of the actual objects. This is
very useful for large environments and allows it run quicker without
actually exposing any sensitive information.

* Adding the code to allow specifying optional arguments at runtime instead of hardcoding the -c to allow more flexibility per this request:
https://github.com/redcanaryco/atomic-red-team/pull/2645#pullrequestreview-1795339526

---------

Co-authored-by: dwhite <n/a>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
Co-authored-by: dwhite9 <n@a>
2023-12-27 11:58:02 -06:00

209 lines
9.6 KiB
YAML
Raw Permalink Blame History

attack_technique: T1016
display_name: System Network Configuration Discovery
atomic_tests:
- name: System Network Configuration Discovery on Windows
auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23
description: |
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config
name: command_prompt
- name: List Windows Firewall Rules
auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752
description: |
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
netsh advfirewall firewall show rule name=all
name: command_prompt
- name: System Network Configuration Discovery
auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
description: |
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
supported_platforms:
- macos
- linux
dependency_executor_name: sh
dependencies:
- description: |
Check if arp command exists on the machine
prereq_command: |
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
executor:
command: |
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
name: sh
- name: System Network Configuration Discovery (TrickBot Style)
auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2
description: |
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
supported_platforms:
- windows
executor:
command: |
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
name: command_prompt
- name: List Open Egress Ports
auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5
description: |
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
supported_platforms:
- windows
input_arguments:
output_file:
description: Path of file to write port scan results
type: path
default: $env:USERPROFILE\Desktop\open-ports.txt
portfile_url:
description: URL to top-128.txt
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt
port_file:
description: The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.
type: path
default: PathToAtomicsFolder\T1016\src\top-128.txt
dependency_executor_name: powershell
dependencies:
- description: |
Test requires #{port_file} to exist
prereq_command: |
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{port_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
executor:
command: |
$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
$test = new-object system.Net.Sockets.TcpClient
$wait = $test.beginConnect("allports.exposed", $port, $null, $null)
$wait.asyncwaithandle.waitone(250, $false) | Out-Null
$totalports++ | Out-Null
if ($test.Connected) {
$result = "$port open"
Write-Host -ForegroundColor Green $result
$result | Out-File -Encoding ASCII -append $file
$totalopen++ | Out-Null
}
else {
$result = "$port closed"
Write-Host -ForegroundColor Red $result
$totalclosed++ | Out-Null
$result | Out-File -Encoding ASCII -append $file
}
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
cleanup_command: |
Remove-Item -ErrorAction ignore "#{output_file}"
name: powershell
- name: Adfind - Enumerate Active Directory Subnet Objects
auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
- windows
input_arguments:
optional_args:
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
prereq_command: |
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
executor:
command: |
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
name: command_prompt
- name: Qakbot Recon
auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
description: A list of commands known to be performed by Qakbot for recon purposes
supported_platforms:
- windows
input_arguments:
recon_commands:
description: File that houses list of commands to be executed
type: path
default: PathToAtomicsFolder\T1016\src\qakbot.bat
dependency_executor_name: powershell
dependencies:
- description: |
File to copy must exist on disk at specified location (#{recon_commands})
prereq_command: |
if (Test-Path "#{recon_commands}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path "#{recon_commands}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat" -OutFile "#{recon_commands}"
executor:
command: |
"#{recon_commands}"
name: command_prompt
- name: List macOS Firewall Rules
auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
description: |
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
supported_platforms:
- macos
executor:
command: |
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
name: bash
elevation_required: true
- name: DNS Server Discovery Using nslookup
auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
description: |
Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
supported_platforms:
- windows
executor:
command: |
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
name: command_prompt
Reference in New Issue View Git Blame Copy Permalink