From 7f613df3a3ca83ac826faca2994ec5fc7deda1f0 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 6 Jul 2018 19:54:35 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1049/T1049.md | 73 +++++++++++++++++++++++++++++++++++++++ atomics/index.md | 5 ++- atomics/linux-index.md | 3 +- atomics/linux-matrix.md | 2 +- atomics/macos-index.md | 3 +- atomics/macos-matrix.md | 2 +- atomics/matrix.md | 2 +- atomics/windows-index.md | 4 ++- atomics/windows-matrix.md | 2 +- 9 files changed, 88 insertions(+), 8 deletions(-) create mode 100644 atomics/T1049/T1049.md diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md new file mode 100644 index 00000000..24b97e5e --- /dev/null +++ b/atomics/T1049/T1049.md @@ -0,0 +1,73 @@ +# T1049 - System Network Connections Discovery +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1049) +
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. + +===Windows=== + +Utilities and commands that acquire this information include netstat, "net use," and "net session" with Net. + +===Mac and Linux === + +In Mac and Linux, netstat and lsof can be used to list current connections. who -a and w can be used to show which users are currently logged in, similar to "net session". + +Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + +Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. + +Platforms: Linux, macOS, Windows + +Data Sources: Process command-line parameters, Process monitoring + +Permissions Required: User, Administrator
+ +## Atomic Tests + +- [Atomic Test #1 - System Network Connections Discovery](#atomic-test-1---system-network-connections-discovery) + +- [Atomic Test #2 - System Network Connections Discovery with PowerShell](#atomic-test-2---system-network-connections-discovery-with-powershell) + +- [Atomic Test #3 - System Network Connections Discovery Linux & MacOS](#atomic-test-3---system-network-connections-discovery-linux--macos) + + +
+ +## Atomic Test #1 - System Network Connections Discovery +Get a listing of network connections. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +netstat +net use +net sessions +``` +
+
+ +## Atomic Test #2 - System Network Connections Discovery with PowerShell +Get a listing of network connections. + +**Supported Platforms:** Windows + + +#### Run it with `powershell`! +``` +Get-NetTCPConnection +``` +
+
+ +## Atomic Test #3 - System Network Connections Discovery Linux & MacOS +Get a listing of network connections. + +**Supported Platforms:** Linux, macOS + + +#### Run it with `sh`! +``` +netstat +who -a +``` +
diff --git a/atomics/index.md b/atomics/index.md index a2b39b09..69de9ed6 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -365,7 +365,10 @@ - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery [windows] - Atomic Test #2: System Network Configuration Discovery [macos, linux] -- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1049 System Network Connections Discovery](./T1049/T1049.md) + - Atomic Test #1: System Network Connections Discovery [windows] + - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] + - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos] - [T1033 System Owner/User Discovery](./T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #2: System Owner/User Discovery [linux, macos] diff --git a/atomics/linux-index.md b/atomics/linux-index.md index c73a4a03..3f46854a 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -57,7 +57,8 @@ - Atomic Test #3: List OS Information [linux, macos] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #2: System Network Configuration Discovery [macos, linux] -- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1049 System Network Connections Discovery](./T1049/T1049.md) + - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos] - [T1033 System Owner/User Discovery](./T1033/T1033.md) - Atomic Test #2: System Owner/User Discovery [linux, macos] diff --git a/atomics/linux-matrix.md b/atomics/linux-matrix.md index b183c694..b240deea 100644 --- a/atomics/linux-matrix.md +++ b/atomics/linux-matrix.md @@ -11,7 +11,7 @@ | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Information Discovery](./T1082/T1082.md) | | [Input Capture](./T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](./T1154/T1154.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | [Screen Capture](./T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Obfuscated Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Process Injection](./T1055/T1055.md) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/macos-index.md b/atomics/macos-index.md index b0a0cccd..3df47cce 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -81,7 +81,8 @@ - Atomic Test #3: List OS Information [linux, macos] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #2: System Network Configuration Discovery [macos, linux] -- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1049 System Network Connections Discovery](./T1049/T1049.md) + - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos] - [T1033 System Owner/User Discovery](./T1033/T1033.md) - Atomic Test #2: System Owner/User Discovery [linux, macos] diff --git a/atomics/macos-matrix.md b/atomics/macos-matrix.md index 51f7867d..87bf5369 100644 --- a/atomics/macos-matrix.md +++ b/atomics/macos-matrix.md @@ -14,7 +14,7 @@ | | [Trap](./T1154/T1154.md) | [Local Job Scheduling](./T1168/T1168.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Information Discovery](./T1082/T1082.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Logon Scripts](./T1037/T1037.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Plist Modification](./T1150/T1150.md) | | [Install Root Certificate](./T1130/T1130.md) | | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Plist Modification](./T1150/T1150.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Rc.common](./T1163/T1163.md) | | [Launchctl](./T1152/T1152.md) | | | | | | [Remote File Copy](./T1105/T1105.md) | | | | [Re-opened Applications](./T1164/T1164.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/matrix.md b/atomics/matrix.md index 236bb8ec..e9ba5f89 100644 --- a/atomics/matrix.md +++ b/atomics/matrix.md @@ -16,7 +16,7 @@ | | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Image File Execution Options Injection](./T1183/T1183.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](./T1142/T1142.md) | [Security Software Discovery](./T1063/T1063.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Mshta](./T1170/T1170.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | LLMNR/NBT-NS Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [PowerShell](./T1086/T1086.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | [Disabling Security Tools](./T1089/T1089.md) | [Network Sniffing](./T1040/T1040.md) | [System Network Configuration Discovery](./T1016/T1016.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) | +| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) | | | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](./T1145/T1145.md) | [System Owner/User Discovery](./T1033/T1033.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](./T1124/T1124.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 1f2cdbf3..2b8f4372 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -242,7 +242,9 @@ - Atomic Test #1: System Information Discovery [windows] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery [windows] -- T1049 System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1049 System Network Connections Discovery](./T1049/T1049.md) + - Atomic Test #1: System Network Connections Discovery [windows] + - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] - [T1033 System Owner/User Discovery](./T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - [T1007 System Service Discovery](./T1007/T1007.md) diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md index b1e23b5c..d1e38c20 100644 --- a/atomics/windows-matrix.md +++ b/atomics/windows-matrix.md @@ -16,7 +16,7 @@ | | [Regsvcs/Regasm](./T1121/T1121.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | Password Filter DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Regsvr32](./T1117/T1117.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Rundll32](./T1085/T1085.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) | -| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Network Connections Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hypervisor](./T1062/T1062.md) | [Scheduled Task](./T1053/T1053.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Service Discovery](./T1007/T1007.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | | [System Time Discovery](./T1124/T1124.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |