atomic-red-team/atomics/T1016/T1016.md

# T1016 - System Network Configuration Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
<blockquote>

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 

</blockquote>

## Atomic Tests

- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)

- [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)

- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)

- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)

- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)

- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)

- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon)

- [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)

- [Atomic Test #9 - DNS Server Discovery Using nslookup](#atomic-test-9---dns-server-discovery-using-nslookup)


<br/>

## Atomic Test #1 - System Network Configuration Discovery on Windows
Identify network configuration information

Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.

**Supported Platforms:** Windows


**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23






#### Attack Commands: Run with `command_prompt`! 


```cmd
ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config
```






<br/>
<br/>

## Atomic Test #2 - List Windows Firewall Rules
Enumerates Windows Firewall Rules using netsh.

Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.

**Supported Platforms:** Windows


**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752






#### Attack Commands: Run with `command_prompt`! 


```cmd
netsh advfirewall firewall show rule name=all
```






<br/>
<br/>

## Atomic Test #3 - System Network Configuration Discovery
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.

**Supported Platforms:** macOS, Linux


**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17






#### Attack Commands: Run with `sh`! 


```sh
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
```




#### Dependencies:  Run with `sh`!
##### Description: Check if arp command exists on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```sh
(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
```




<br/>
<br/>

## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/

Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.

**Supported Platforms:** Windows


**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2






#### Attack Commands: Run with `command_prompt`! 


```cmd
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
```






<br/>
<br/>

## Atomic Test #5 - List Open Egress Ports
This is to test for what ports are open outbound.  The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/

Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.

**Supported Platforms:** Windows


**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to write port scan results | path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
| portfile_url | URL to top-128.txt | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|


#### Attack Commands: Run with `powershell`! 


```powershell
$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
```

#### Cleanup Commands:
```powershell
Remove-Item -ErrorAction ignore "#{output_file}"
```



#### Dependencies:  Run with `powershell`!
##### Description: Test requires #{port_file} to exist
##### Check Prereq Commands:
```powershell
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{port_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
```




<br/>
<br/>

## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

**Supported Platforms:** Windows


**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |


#### Attack Commands: Run with `command_prompt`! 


```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
```




#### Dependencies:  Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```




<br/>
<br/>

## Atomic Test #7 - Qakbot Recon
A list of commands known to be performed by Qakbot for recon purposes

**Supported Platforms:** Windows


**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| recon_commands | File that houses list of commands to be executed | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|


#### Attack Commands: Run with `command_prompt`! 


```cmd
"#{recon_commands}"
```




#### Dependencies:  Run with `powershell`!
##### Description: File to copy must exist on disk at specified location (#{recon_commands})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{recon_commands}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{recon_commands}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat" -OutFile "#{recon_commands}"
```




<br/>
<br/>

## Atomic Test #8 - List macOS Firewall Rules
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 

Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 

Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.

**Supported Platforms:** macOS


**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88






#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 


```bash
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
```






<br/>
<br/>

## Atomic Test #9 - DNS Server Discovery Using nslookup
Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/

**Supported Platforms:** Windows


**auto_generated_guid:** 34557863-344a-468f-808b-a1bfb89b4fa9






#### Attack Commands: Run with `command_prompt`! 


```cmd
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
```






<br/>