diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index c5f01fc5..824cfe01 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -34,6 +34,10 @@ In Azure, the API request GET https://management.azure.com/subscriptions/{ - [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules) +- [Atomic Test #6 - Hostname Discovery](#atomic-test-6---hostname-discovery) + +- [Atomic Test #7 - Windows MachineGUID Discovery](#atomic-test-7---windows-machineguid-discovery) +
@@ -132,4 +136,36 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" +
+
+ +## Atomic Test #6 - Hostname Discovery +Identify system hostname for Windows, Linux, and macOS systems. + +**Supported Platforms:** Windows, Linux, macOS + + +#### Run it with `bash`! +``` +hostname +``` + + + +
+
+ +## Atomic Test #7 - Windows MachineGUID Discovery +Identify the Windows MachineGUID value for a system. + +**Supported Platforms:** Windows + + +#### Run it with `command_prompt`! +``` +REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid +``` + + +
diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index fbe6d766..e41f8993 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -82,4 +82,37 @@ atomic_tests: sudo lsmod | grep -i "vmw_baloon\|vmxnet" sudo lsmod | grep -i "xen-vbd\|xen-vnif" sudo lsmod | grep -i "virtio_pci\|virtio_net" - sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" \ No newline at end of file + sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" + +- name: Hostname Discovery + description: | + Identify system hostname for Windows, Linux, and macOS systems. + + supported_platforms: + - windows + - linux + - macos + + executor: + name: command_prompt + elevation_required: false + command: | + hostname + + name: bash + elevation_required: false + command: | + hostname + +- name: Windows MachineGUID Discovery + description: | + Identify the Windows MachineGUID value for a system. + + supported_platforms: + - windows + + executor: + name: command_prompt + elevation_required: false + command: | + REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid diff --git a/atomics/index.md b/atomics/index.md index bdec95ec..c46546f3 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -600,6 +600,8 @@ - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #4: Linux VM Check via Hardware [linux] - Atomic Test #5: Linux VM Check via Kernel Modules [linux] + - Atomic Test #6: Hostname Discovery [windows, linux, macos] + - Atomic Test #7: Windows MachineGUID Discovery [windows] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery [windows] - Atomic Test #2: List Windows Firewall Rules [windows] diff --git a/atomics/index.yaml b/atomics/index.yaml index 36dc6cea..11e7dece 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -17292,12 +17292,39 @@ discovery: - linux executor: name: bash - command: |- + command: | sudo lsmod | grep -i "vboxsf\|vboxguest" sudo lsmod | grep -i "vmw_baloon\|vmxnet" sudo lsmod | grep -i "xen-vbd\|xen-vnif" sudo lsmod | grep -i "virtio_pci\|virtio_net" sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc" + - name: Hostname Discovery + description: 'Identify system hostname for Windows, Linux, and macOS systems. + +' + supported_platforms: + - windows + - linux + - macos + executor: + name: bash + elevation_required: false + command: 'hostname + +' + - name: Windows MachineGUID Discovery + description: 'Identify the Windows MachineGUID value for a system. + +' + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: false + command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v + MachineGuid + +' T1016: technique: x_mitre_data_sources: diff --git a/atomics/linux-index.md b/atomics/linux-index.md index 0617abe7..983df1b2 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -102,6 +102,7 @@ - Atomic Test #3: List OS Information [linux, macos] - Atomic Test #4: Linux VM Check via Hardware [linux] - Atomic Test #5: Linux VM Check via Kernel Modules [linux] + - Atomic Test #6: Hostname Discovery [windows, linux, macos] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #3: System Network Configuration Discovery [macos, linux] - [T1049 System Network Connections Discovery](./T1049/T1049.md) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 17f6825d..159d4f3a 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -114,6 +114,7 @@ - [T1082 System Information Discovery](./T1082/T1082.md) - Atomic Test #2: System Information Discovery [linux, macos] - Atomic Test #3: List OS Information [linux, macos] + - Atomic Test #6: Hostname Discovery [windows, linux, macos] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #3: System Network Configuration Discovery [macos, linux] - [T1049 System Network Connections Discovery](./T1049/T1049.md) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index f2249dc7..f0b074c3 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -421,6 +421,8 @@ - Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows] - [T1082 System Information Discovery](./T1082/T1082.md) - Atomic Test #1: System Information Discovery [windows] + - Atomic Test #6: Hostname Discovery [windows, linux, macos] + - Atomic Test #7: Windows MachineGUID Discovery [windows] - [T1016 System Network Configuration Discovery](./T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery [windows] - Atomic Test #2: List Windows Firewall Rules [windows]