Generate docs from job=validate_atomics_generate_docs branch=master

2018-07-06 19:54:35 +00:00
parent 6d1279ccd9
commit 7f613df3a3
9 changed files with 88 additions and 8 deletions
@@ -0,0 +1,73 @@
+# T1049 - System Network Connections Discovery
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049)
+<blockquote>Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 
+
+===Windows===
+
+Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net.
+
+===Mac and Linux ===
+
+In Mac and Linux, <code>netstat</code> and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".
+
+Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
+
+Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
+
+Platforms: Linux, macOS, Windows
+
+Data Sources: Process command-line parameters, Process monitoring
+
+Permissions Required: User, Administrator</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - System Network Connections Discovery](#atomic-test-1---system-network-connections-discovery)
+
+- [Atomic Test #2 - System Network Connections Discovery with PowerShell](#atomic-test-2---system-network-connections-discovery-with-powershell)
+
+- [Atomic Test #3 - System Network Connections Discovery Linux & MacOS](#atomic-test-3---system-network-connections-discovery-linux--macos)
+
+
+<br/>
+
+## Atomic Test #1 - System Network Connections Discovery
+Get a listing of network connections.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+netstat
+net use
+net sessions
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - System Network Connections Discovery with PowerShell
+Get a listing of network connections.
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `powershell`!
+```
+Get-NetTCPConnection
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - System Network Connections Discovery Linux & MacOS
+Get a listing of network connections.
+
+**Supported Platforms:** Linux, macOS
+
+
+#### Run it with `sh`!
+```
+netstat
+who -a
+```
+<br/>
@@ -365,7 +365,10 @@
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery [windows]
  - Atomic Test #2: System Network Configuration Discovery [macos, linux]
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1049 System Network Connections Discovery](./T1049/T1049.md)
+  - Atomic Test #1: System Network Connections Discovery [windows]
+  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
+  - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](./T1033/T1033.md)
  - Atomic Test #1: System Owner/User Discovery [windows]
  - Atomic Test #2: System Owner/User Discovery [linux, macos]
@@ -57,7 +57,8 @@
  - Atomic Test #3: List OS Information [linux, macos]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #2: System Network Configuration Discovery [macos, linux]
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1049 System Network Connections Discovery](./T1049/T1049.md)
+  - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](./T1033/T1033.md)
  - Atomic Test #2: System Owner/User Discovery [linux, macos]

@@ -11,7 +11,7 @@
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Removal on Host](./T1070/T1070.md) |  | [System Information Discovery](./T1082/T1082.md) |  | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) |  | [Install Root Certificate](./T1130/T1130.md) |  | [System Network Configuration Discovery](./T1016/T1016.md) |  | [Screen Capture](./T1113/T1113.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Obfuscated Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  |  |  | [Process Injection](./T1055/T1055.md) |  |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -81,7 +81,8 @@
  - Atomic Test #3: List OS Information [linux, macos]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #2: System Network Configuration Discovery [macos, linux]
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1049 System Network Connections Discovery](./T1049/T1049.md)
+  - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](./T1033/T1033.md)
  - Atomic Test #2: System Owner/User Discovery [linux, macos]

@@ -14,7 +14,7 @@
 |  | [Trap](./T1154/T1154.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Information Discovery](./T1082/T1082.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Logon Scripts](./T1037/T1037.md) |  | [Indicator Removal on Host](./T1070/T1070.md) |  | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Plist Modification](./T1150/T1150.md) |  | [Install Root Certificate](./T1130/T1130.md) |  | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Plist Modification](./T1150/T1150.md) |  | [Install Root Certificate](./T1130/T1130.md) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Rc.common](./T1163/T1163.md) |  | [Launchctl](./T1152/T1152.md) |  |  |  |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  |  | [Re-opened Applications](./T1164/T1164.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -16,7 +16,7 @@
 |  | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Image File Execution Options Injection](./T1183/T1183.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](./T1142/T1142.md) | [Security Software Discovery](./T1063/T1063.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Mshta](./T1170/T1170.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](./T1086/T1086.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | [Disabling Security Tools](./T1089/T1089.md) | [Network Sniffing](./T1040/T1040.md) | [System Network Configuration Discovery](./T1016/T1016.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Admin Shares](./T1077/T1077.md) |  |  | [Remote File Copy](./T1105/T1105.md) |
+|  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](./T1145/T1145.md) | [System Owner/User Discovery](./T1033/T1033.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) |  |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](./T1124/T1124.md) |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -242,7 +242,9 @@
  - Atomic Test #1: System Information Discovery [windows]
 - [T1016 System Network Configuration Discovery](./T1016/T1016.md)
  - Atomic Test #1: System Network Configuration Discovery [windows]
- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1049 System Network Connections Discovery](./T1049/T1049.md)
+  - Atomic Test #1: System Network Connections Discovery [windows]
+  - Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
 - [T1033 System Owner/User Discovery](./T1033/T1033.md)
  - Atomic Test #1: System Owner/User Discovery [windows]
 - [T1007 System Service Discovery](./T1007/T1007.md)
@@ -16,7 +16,7 @@
 |  | [Regsvcs/Regasm](./T1121/T1121.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Regsvr32](./T1117/T1117.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Rundll32](./T1085/T1085.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | [Remote File Copy](./T1105/T1105.md) |
-|  | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hypervisor](./T1062/T1062.md) | [Scheduled Task](./T1053/T1053.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Service Discovery](./T1007/T1007.md) |  |  |  | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) |  | [System Time Discovery](./T1124/T1124.md) |  |  |  | [Uncommonly Used Port](./T1065/T1065.md) |