security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #226 from redcanaryco/Linux-Discovery

Browse Source 
Linux Discovery yaml conversions
This commit is contained in:
Michael Haag
2018-05-25 13:53:29 -04:00
committed by GitHub
parent bd5e78b364 2061399fc8
commit 5153f8fec9
12 changed files with 75 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Linux/Discovery/File_and_Directory_Discovery.md
-19
View File
@@ -1,19 +0,0 @@
#File and Directory Discovery
## MITRE ATT&CK Technique: [T1083](https://attack.mitre.org/wiki/Technique/T1083)
Output a directory tree listing :
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
List Mounted File Systems and Paths
cat /etc/mtab > /tmp/loot.txt
Find pdfs on a machine
find . -type f -iname *.pdf > /tmp/loot.txt
Find hidden files on a machine
find . -type f -name ".*"
Linux/Discovery/Process_Discovery.md
-14
View File
@@ -1,14 +0,0 @@
## Process Discovery
MITRE ATT&CK Technique: [T1057](https://attack.mitre.org/wiki/Technique/T1057)
### Process Discovery
Input:
ps >> /tmp/loot.txt
Input:
ps aux >> /tmp/loot.txt
Linux/Discovery/Remote_System_Discovery.md
-18
View File
@@ -1,18 +0,0 @@
## Remote System Discovery
MITRE ATT&CK Technique: [T1018](https://attack.mitre.org/wiki/Technique/T1018)
### arp
Input:
arp -a | grep -v '^?'
### Network scanning
Input:
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
Linux/Discovery/System_Information_Discovery.md
-16
View File
@@ -1,16 +0,0 @@
# System Information Discovery
MITRE ATT&CK Technique: [T1082](https://attack.mitre.org/wiki/Technique/T1082)
List OS information:
uname -a >> /tmp/loot.txt
List OS specific information:
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
Show how long a machine has been running:
uptime >> /tmp/loot.txt
Linux/Discovery/System_Network_Configuration_Discovery.md
-17
View File
@@ -1,17 +0,0 @@
## System Network Configuration Discovery
MITRE ATT&CK Technique: [T1016](https://attack.mitre.org/wiki/Technique/T1016)
### Network Data
Input:
arp -a
Input:
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
Input:
ifconfig
atomics/T1082/T1082.md
+18
View File
@@ -26,6 +26,8 @@ Permissions Required: User</blockquote>
- [Atomic Test #2 - System Information Discovery](#atomic-test-2---system-information-discovery)
- [Atomic Test #3 - List OS Information](#atomic-test-3---list-os-information)
<br/>
@@ -56,3 +58,19 @@ system_profiler
ls -al /Applications
```
<br/>
<br/>
## Atomic Test #3 - List OS Information
Identify System Info
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
```
<br/>
atomics/T1082/T1082.yaml
+16
View File
@@ -30,3 +30,19 @@ atomic_tests:
systemsetup
system_profiler
ls -al /Applications
- name: List OS Information
description: |
Identify System Info
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
atomics/T1083/T1083.md
+18
View File
@@ -28,6 +28,8 @@ System Requirements: Some folders may require Administrator, SYSTEM or specific
- [Atomic Test #2 - nix file and diectory discovery](#atomic-test-2---nix-file-and-diectory-discovery)
- [Atomic Test #3 - nix file and diectory discovery](#atomic-test-3---nix-file-and-diectory-discovery)
<br/>
@@ -72,3 +74,19 @@ find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
```
<br/>
<br/>
## Atomic Test #3 - nix file and diectory discovery
Find or discovery files on the file system
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
find . -type f -name ".*"
```
<br/>
atomics/T1083/T1083.yaml
+17
View File
@@ -44,3 +44,20 @@ atomic_tests:
file */* *>> ../files.txt
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
- name: nix file and diectory discovery
description: |
Find or discovery files on the file system
supported_platforms:
- macos
- linux
executor:
name: sh
command: |
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
find . -type f -name ".*"
atomics/index.md
+2
View File
@@ -289,6 +289,7 @@
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #1: File and Directory Discovery [windows]
- Atomic Test #2: nix file and diectory discovery [macos, linux]
- Atomic Test #3: nix file and diectory discovery [macos, linux]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- Atomic Test #1: Scan a bunch of ports to see if they are open [linux, macos]
- [T1135 Network Share Discovery](./T1135/T1135.md)
@@ -314,6 +315,7 @@
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #1: System Network Configuration Discovery [windows]
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
atomics/linux-index.md
+2
View File
@@ -32,6 +32,7 @@
- [T1217 Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #2: nix file and diectory discovery [macos, linux]
- Atomic Test #3: nix file and diectory discovery [macos, linux]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- Atomic Test #1: Scan a bunch of ports to see if they are open [linux, macos]
- [T1201 Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
@@ -44,6 +45,7 @@
- Atomic Test #5: Remote System Discovery - sweep [linux, macos]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
atomics/macos-index.md
+2
View File
@@ -57,6 +57,7 @@
- [T1217 Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1083 File and Directory Discovery](./T1083/T1083.md)
- Atomic Test #2: nix file and diectory discovery [macos, linux]
- Atomic Test #3: nix file and diectory discovery [macos, linux]
- [T1046 Network Service Scanning](./T1046/T1046.md)
- Atomic Test #1: Scan a bunch of ports to see if they are open [linux, macos]
- [T1135 Network Share Discovery](./T1135/T1135.md)
@@ -73,6 +74,7 @@
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
- Atomic Test #2: System Network Configuration Discovery [macos, linux]
- [T1049 System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)