security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #211 from redcanaryco/T1124

Browse Source 
T1124
This commit is contained in:
Michael Haag
2018-05-25 08:15:43 -04:00
committed by GitHub
parent 09aae41601 8be453ffef
commit a4b366c31b
6 changed files with 74 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1124/T1124.md
+32
View File
@@ -0,0 +1,32 @@
# T1124 - System Time Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1124)
<blockquote>The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)
An adversary may gather the system time and/or time zone from a local or remote system. This information may be gathered in a number of ways, such as with Net on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service) The information could be useful for performing other techniques, such as executing a file with a Scheduled Task (Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting.
Detection: Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.
Platforms: Windows
Data Sources: Process monitoring, Process command-line parameters, API monitoring
Permissions Required: User</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Time Discovery - PowerShell](#atomic-test-1---system-time-discovery---powershell)
<br/>
## Atomic Test #1 - System Time Discovery - PowerShell
Identify the system time via PowerShell
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
powershell.exe Get-Date
```
<br/>
atomics/T1124/T1124.yaml
+36
View File
@@ -0,0 +1,36 @@
---
attack_technique: T1124
display_name: System Time Discovery
atomic_tests:
- name: System Time Discovery
description: |
Identify the system time
supported_platforms:
- windows
input_arguments:
computername:
description: computer name to query
type: string
default: computer1
executor:
name: command_prompt
command: |
net time \\${computername}
w32tm /tz
atomic_tests:
- name: System Time Discovery - PowerShell
description: |
Identify the system time via PowerShell
supported_platforms:
- windows
executor:
name: powershell
command: |
powershell.exe Get-Date
atomics/index.md
+2 -1
View File
@@ -269,7 +269,8 @@
- Atomic Test #1: System Owner/User Discovery [windows]
- [T1007 System Service Discovery](./T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1124 System Time Discovery](./T1124/T1124.md)
- Atomic Test #1: System Time Discovery - PowerShell [windows]
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
atomics/matrix.md
+1 -1
View File
@@ -19,7 +19,7 @@
| | [Regsvcs/Regasm](./T1121/T1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Private Keys](./T1145/T1145.md) | [System Owner/User Discovery](./T1033/T1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File Deletion](./T1107/T1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Service Discovery](./T1007/T1007.md) | | | | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Time Discovery](./T1124/T1124.md) | | | | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Service Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | [Web Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
atomics/windows-index.md
+2 -1
View File
@@ -209,7 +209,8 @@
- Atomic Test #1: System Owner/User Discovery [windows]
- [T1007 System Service Discovery](./T1007/T1007.md)
- Atomic Test #1: System Service Discovery [windows]
- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1124 System Time Discovery](./T1124/T1124.md)
- Atomic Test #1: System Time Discovery - PowerShell [windows]
# credential-access
- [T1098 Account Manipulation](./T1098/T1098.md)
atomics/windows-matrix.md
+1 -1
View File
@@ -19,7 +19,7 @@
| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hooking](./T1179/T1179.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File Deletion](./T1107/T1107.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Service Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Scheduled Task](./T1053/T1053.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [System Service Discovery](./T1007/T1007.md) | | | | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hidden Files and Directories](./T1158/T1158.md) | | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hidden Files and Directories](./T1158/T1158.md) | | [System Time Discovery](./T1124/T1124.md) | | | | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | [Web Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Logon Scripts](./T1037/T1037.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |