Atomic Red Team doc generator
411 lines
12 KiB
Markdown
411 lines
12 KiB
Markdown
# T1016 - System Network Configuration Discovery
|
|
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
|
|
<blockquote>
|
|
|
|
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
|
|
|
|
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
|
|
|
|
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
|
|
|
|
</blockquote>
|
|
|
|
## Atomic Tests
|
|
|
|
- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)
|
|
|
|
- [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)
|
|
|
|
- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)
|
|
|
|
- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
|
|
|
|
- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
|
|
|
|
- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)
|
|
|
|
- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon)
|
|
|
|
- [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)
|
|
|
|
- [Atomic Test #9 - DNS Server Discovery Using nslookup](#atomic-test-9---dns-server-discovery-using-nslookup)
|
|
|
|
|
|
<br/>
|
|
|
|
## Atomic Test #1 - System Network Configuration Discovery on Windows
|
|
Identify network configuration information
|
|
|
|
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
ipconfig /all
|
|
netsh interface show interface
|
|
arp -a
|
|
nbtstat -n
|
|
net config
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #2 - List Windows Firewall Rules
|
|
Enumerates Windows Firewall Rules using netsh.
|
|
|
|
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
netsh advfirewall firewall show rule name=all
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #3 - System Network Configuration Discovery
|
|
Identify network configuration information.
|
|
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
|
|
|
|
**Supported Platforms:** macOS, Linux
|
|
|
|
|
|
**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `sh`!
|
|
|
|
|
|
```sh
|
|
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
|
|
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
|
|
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
|
|
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
|
|
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `sh`!
|
|
##### Description: Check if arp command exists on the machine
|
|
##### Check Prereq Commands:
|
|
```sh
|
|
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
|
|
```
|
|
##### Get Prereq Commands:
|
|
```sh
|
|
(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
|
|
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
|
|
|
|
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
ipconfig /all
|
|
net config workstation
|
|
net view /all /domain
|
|
nltest /domain_trusts
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #5 - List Open Egress Ports
|
|
This is to test for what ports are open outbound. The technique used was taken from the following blog:
|
|
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
|
|
|
|
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| output_file | Path of file to write port scan results | path | $env:USERPROFILE\Desktop\open-ports.txt|
|
|
| portfile_url | URL to top-128.txt | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
|
|
| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | path | PathToAtomicsFolder\T1016\src\top-128.txt|
|
|
|
|
|
|
#### Attack Commands: Run with `powershell`!
|
|
|
|
|
|
```powershell
|
|
$ports = Get-content "#{port_file}"
|
|
$file = "#{output_file}"
|
|
$totalopen = 0
|
|
$totalports = 0
|
|
New-Item $file -Force
|
|
foreach ($port in $ports) {
|
|
$test = new-object system.Net.Sockets.TcpClient
|
|
$wait = $test.beginConnect("allports.exposed", $port, $null, $null)
|
|
$wait.asyncwaithandle.waitone(250, $false) | Out-Null
|
|
$totalports++ | Out-Null
|
|
if ($test.Connected) {
|
|
$result = "$port open"
|
|
Write-Host -ForegroundColor Green $result
|
|
$result | Out-File -Encoding ASCII -append $file
|
|
$totalopen++ | Out-Null
|
|
}
|
|
else {
|
|
$result = "$port closed"
|
|
Write-Host -ForegroundColor Red $result
|
|
$totalclosed++ | Out-Null
|
|
$result | Out-File -Encoding ASCII -append $file
|
|
}
|
|
}
|
|
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
|
|
$results | Out-File -Encoding ASCII -append $file
|
|
Write-Host $results
|
|
```
|
|
|
|
#### Cleanup Commands:
|
|
```powershell
|
|
Remove-Item -ErrorAction ignore "#{output_file}"
|
|
```
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: Test requires #{port_file} to exist
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory (split-path "#{port_file}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #7 - Qakbot Recon
|
|
A list of commands known to be performed by Qakbot for recon purposes
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
|
|
|
|
|
|
|
|
|
|
|
|
#### Inputs:
|
|
| Name | Description | Type | Default Value |
|
|
|------|-------------|------|---------------|
|
|
| recon_commands | File that houses list of commands to be executed | path | PathToAtomicsFolder\T1016\src\qakbot.bat|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
"#{recon_commands}"
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Dependencies: Run with `powershell`!
|
|
##### Description: File to copy must exist on disk at specified location (#{recon_commands})
|
|
##### Check Prereq Commands:
|
|
```powershell
|
|
if (Test-Path "#{recon_commands}") {exit 0} else {exit 1}
|
|
```
|
|
##### Get Prereq Commands:
|
|
```powershell
|
|
New-Item -Type Directory (split-path "#{recon_commands}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat" -OutFile "#{recon_commands}"
|
|
```
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #8 - List macOS Firewall Rules
|
|
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
|
|
|
|
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
|
|
|
|
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
|
|
|
|
**Supported Platforms:** macOS
|
|
|
|
|
|
**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
|
|
|
|
|
|
```bash
|
|
sudo defaults read /Library/Preferences/com.apple.alf
|
|
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|
|
<br/>
|
|
|
|
## Atomic Test #9 - DNS Server Discovery Using nslookup
|
|
Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
|
|
controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
|
|
|
|
**Supported Platforms:** Windows
|
|
|
|
|
|
**auto_generated_guid:** 34557863-344a-468f-808b-a1bfb89b4fa9
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### Attack Commands: Run with `command_prompt`!
|
|
|
|
|
|
```cmd
|
|
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<br/>
|