diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index f8f705a3..2f62dfaf 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -14,6 +14,8 @@ Adversaries may use the information from [System Network Configuration Discovery
- [Atomic Test #4 - System Network Configuration Discovery (Trickbot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
+- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
+
@@ -103,4 +105,60 @@ nltest /domain_trusts
+
+
+
+## Atomic Test #5 - List Open Egress Ports
+This is to test for what ports are open outbound. The technique used was taken from the following blog:
+https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
+
+**Supported Platforms:** Windows
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder\T1016\src\top-128.txt|
+| output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt|
+
+
+#### Attack Commands: Run with `powershell`!
+```
+$ports = Get-content #{port_file}
+$file = "#{output_file}"
+$totalopen = 0
+$totalports = 0
+New-Item $file -Force
+foreach ($port in $ports) {
+ $test = new-object system.Net.Sockets.TcpClient
+ $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
+ $wait.asyncwaithandle.waitone(250, $false) | Out-Null
+ $totalports++ | Out-Null
+ if ($test.Connected) {
+ $result = "$port open"
+ Write-Host -ForegroundColor Green $result
+ $result | Out-File -Encoding ASCII -append $file
+ $totalopen++ | Out-Null
+ }
+ else {
+ $result = "$port closed"
+ Write-Host -ForegroundColor Red $result
+ $totalclosed++ | Out-Null
+ $result | Out-File -Encoding ASCII -append $file
+ }
+}
+$results = "There were a total of $totalopen open ports out of $totalports ports tested."
+$results | Out-File -Encoding ASCII -append $file
+Write-Host $results
+```
+
+#### Cleanup Commands:
+```
+Remove-Item -ErrorAction ignore "#{output_file}"
+```
+
+
+
+
+
diff --git a/atomics/index.md b/atomics/index.md
index b6a6bda3..189348df 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -635,6 +635,7 @@
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
+ - Atomic Test #5: List Open Egress Ports [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index c1fa488a..7431b633 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -18906,11 +18906,43 @@ discovery:
executor:
name: command_prompt
elevation_required: false
- command: |-
+ command: |
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
+ - name: List Open Egress Ports
+ description: |
+ This is to test for what ports are open outbound. The technique used was taken from the following blog:
+ https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
+ supported_platforms:
+ - windows
+ input_arguments:
+ port_file:
+ description: The path to a text file containing ports to be scanned, one
+ port per line. The default list uses the top 128 ports as defined by Nmap.
+ type: Path
+ default: PathToAtomicsFolder\T1016\src\top-128.txt
+ output_file:
+ description: Path of file to write port scan results
+ type: Path
+ default: "$env:USERPROFILE\\Desktop\\open-ports.txt"
+ executor:
+ name: powershell
+ elevation_required: false
+ command: "$ports = Get-content #{port_file}\n$file = \"#{output_file}\"\n$totalopen
+ = 0\n$totalports = 0\nNew-Item $file -Force\nforeach ($port in $ports) {\n
+ \ $test = new-object system.Net.Sockets.TcpClient\n $wait = $test.beginConnect(\"allports.exposed\",
+ $port, $null, $null)\n $wait.asyncwaithandle.waitone(250, $false) | Out-Null\n
+ \ $totalports++ | Out-Null\n if ($test.Connected) {\n $result
+ = \"$port open\" \n Write-Host -ForegroundColor Green $result\n $result
+ | Out-File -Encoding ASCII -append $file\n $totalopen++ | Out-Null\n
+ \ }\n else {\n $result = \"$port closed\" \n Write-Host
+ -ForegroundColor Red $result\n $totalclosed++ | Out-Null\n $result
+ | Out-File -Encoding ASCII -append $file\n }\n}\n$results = \"There were
+ a total of $totalopen open ports out of $totalports ports tested.\"\n$results
+ | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n"
+ cleanup_command: Remove-Item -ErrorAction ignore "#{output_file}"
T1049:
technique:
x_mitre_permissions_required:
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 6f9020fd..11dff745 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -454,6 +454,7 @@
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #4: System Network Configuration Discovery (Trickbot Style) [windows]
+ - Atomic Test #5: List Open Egress Ports [windows]
- [T1049 System Network Connections Discovery](./T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]