attack_technique: T1016
display_name: System Network Configuration Discovery
atomic_tests:
- name: System Network Configuration Discovery on Windows
  auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23
  description: |
    Identify network configuration information

    Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      ipconfig /all
      netsh interface show interface
      arp -a
      nbtstat -n
      net config
    name: command_prompt
- name: List Windows Firewall Rules
  auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752
  description: |
    Enumerates Windows Firewall Rules using netsh.

    Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      netsh advfirewall firewall show rule name=all
    name: command_prompt
- name: System Network Configuration Discovery
  auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
  description: |
    Identify network configuration information.
    Upon successful execution, sh will spawn multiple commands and output will be via stdout.
  supported_platforms:
  - macos
  - linux
  dependency_executor_name: sh
  dependencies:
  - description: |
      Check if arp command exists on the machine
    prereq_command: |
      if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      (which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
  executor:
    command: |
      if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
      if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
      if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
    name: sh
- name: System Network Configuration Discovery (TrickBot Style)
  auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2
  description: |
    Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/

    Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      ipconfig /all
      net config workstation
      net view /all /domain
      nltest /domain_trusts
    name: command_prompt
- name: List Open Egress Ports
  auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5
  description: |
    This is to test for what ports are open outbound.  The technique used was taken from the following blog:
    https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/

    Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
  supported_platforms:
  - windows
  input_arguments:
    output_file:
      description: Path of file to write port scan results
      type: path
      default: $env:USERPROFILE\Desktop\open-ports.txt
    portfile_url:
      description: URL to top-128.txt
      type: url
      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt
    port_file:
      description: The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.
      type: path
      default: PathToAtomicsFolder\T1016\src\top-128.txt
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Test requires #{port_file} to exist
    prereq_command: |
      if (Test-Path "#{port_file}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{port_file}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
  executor:
    command: |
      $ports = Get-content "#{port_file}"
      $file = "#{output_file}"
      $totalopen = 0
      $totalports = 0
      New-Item $file -Force
      foreach ($port in $ports) {
          $test = new-object system.Net.Sockets.TcpClient
          $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
          $wait.asyncwaithandle.waitone(250, $false) | Out-Null
          $totalports++ | Out-Null
          if ($test.Connected) {
              $result = "$port open" 
              Write-Host -ForegroundColor Green $result
              $result | Out-File -Encoding ASCII -append $file
              $totalopen++ | Out-Null
          }
          else {
              $result = "$port closed" 
              Write-Host -ForegroundColor Red $result
              $totalclosed++ | Out-Null
              $result | Out-File -Encoding ASCII -append $file
          }
      }
      $results = "There were a total of $totalopen open ports out of $totalports ports tested."
      $results | Out-File -Encoding ASCII -append $file
      Write-Host $results
    cleanup_command: |
      Remove-Item -ErrorAction ignore "#{output_file}"
    name: powershell
- name: Adfind - Enumerate Active Directory Subnet Objects
  auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
  - windows
  input_arguments:
    optional_args:
      description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
      type: string
      default:
  dependency_executor_name: powershell
  dependencies:
  - description: |
      AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
  executor:
    command: |
      "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
    name: command_prompt

- name: Qakbot Recon
  auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
  description: A list of commands known to be performed by Qakbot for recon purposes
  supported_platforms:
  - windows
  input_arguments:
    recon_commands:
      description: File that houses list of commands to be executed
      type: path
      default: PathToAtomicsFolder\T1016\src\qakbot.bat
  dependency_executor_name: powershell
  dependencies:
  - description: |
      File to copy must exist on disk at specified location (#{recon_commands})
    prereq_command: |
      if (Test-Path "#{recon_commands}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "#{recon_commands}") -ErrorAction ignore | Out-Null
      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat" -OutFile "#{recon_commands}"
  executor:
    command: |
      "#{recon_commands}"
    name: command_prompt
- name: List macOS Firewall Rules
  auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
  description: |
    "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. 

    Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. 

    Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. 
  supported_platforms:
  - macos
  executor:
    command: |
      sudo defaults read /Library/Preferences/com.apple.alf
      sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
    name: bash
    elevation_required: true
- name: DNS Server Discovery Using nslookup
  auto_generated_guid: 34557863-344a-468f-808b-a1bfb89b4fa9
  description: |
    Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
    controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
  supported_platforms:
  - windows
  executor:
    command: |
      nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
    name: command_prompt