security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1040/T1040.yaml
T

461 lines
16 KiB
YAML
Raw Permalink Blame History

attack_technique: T1040
display_name: Network Sniffing
atomic_tests:
- name: Packet Capture Linux using tshark or tcpdump
auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e
description: |
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
supported_platforms:
- linux
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: string
default: ens33
dependency_executor_name: bash
dependencies:
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
executor:
command: |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
name: bash
elevation_required: true
- name: Packet Capture FreeBSD using tshark or tcpdump
auto_generated_guid: c93f2492-9ebe-44b5-8b45-36574cccfe67
description: |
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
supported_platforms:
- linux
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: string
default: em0
dependency_executor_name: sh
dependencies:
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which pkg && pkg install -y wireshark-nox11)
executor:
command: |
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
name: sh
elevation_required: true
- name: Packet Capture macOS using tcpdump or tshark
auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
description: |
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
supported_platforms:
- macos
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: string
default: en0A
dependency_executor_name: bash
dependencies:
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
executor:
command: |
sudo tcpdump -c 5 -nnni #{interface}
if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
name: bash
elevation_required: true
- name: Packet Capture Windows Command Prompt
auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
description: |
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
installed.
Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
supported_platforms:
- windows
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: string
default: Ethernet
wireshark_url:
description: wireshark installer download URL
type: url
default: https://1.eu.dl.wireshark.org/win64/Wireshark-latest-x64.exe
tshark_path:
description: path to tshark.exe
type: path
default: c:\program files\wireshark\tshark.exe
npcap_url:
description: npcap installed download URL
type: url
default: https://nmap.org/npcap/dist/npcap-1.31.exe
npcap_path:
description: path to npcap.sys
type: path
default: C:\Program Files\Npcap\npcap.sys
dependency_executor_name: powershell
dependencies:
- description: |
tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe" #{wireshark_url}
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\wireshark_installer.exe" /S
- description: |
npcap must be installed.
prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe" #{npcap_url}
Start-Process "PathToAtomicsFolder\..\ExternalPayloads\npcap_installer.exe"
executor:
command: |
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
name: command_prompt
elevation_required: true
- name: Windows Internal Packet Capture
auto_generated_guid: b5656f67-d67f-4de8-8e62-b5581630f528
description: |-
Uses the built-in Windows packet capture
After execution you should find a file named trace.etl and trace.cab in the temp directory
supported_platforms:
- windows
executor:
command: netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10
cleanup_command: |-
netsh trace stop >nul 2>&1
TIMEOUT /T 5 >nul 2>&1
del %temp%\trace.etl >nul 2>&1
del %temp%\trace.cab >nul 2>&1
name: command_prompt
elevation_required: true
- name: Windows Internal pktmon capture
auto_generated_guid: c67ba807-f48b-446e-b955-e4928cd1bf91
description: |-
Will start a packet capture and store log file as t1040.etl.
https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
supported_platforms:
- windows
executor:
command: |
pktmon.exe start --etw -f %TEMP%\t1040.etl
TIMEOUT /T 5 >nul 2>&1
pktmon.exe stop
cleanup_command: |-
del %TEMP%\t1040.etl
name: command_prompt
elevation_required: true
- name: Windows Internal pktmon set filter
auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55
description: |-
Select Desired ports for packet capture
https://lolbas-project.github.io/lolbas/Binaries/Pktmon/
supported_platforms:
- windows
executor:
command: |
pktmon.exe filter add -p 445
cleanup_command: |-
pktmon filter remove
name: command_prompt
elevation_required: true
- name: Packet Capture macOS using /dev/bpfN with sudo
auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
description: |
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
supported_platforms:
- macos
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
type: string
default: en0
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_macos_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -i #{ifname} -t 3
cleanup_command: |
rm -f #{program_path}
name: bash
elevation_required: true
- name: Filtered Packet Capture macOS using /dev/bpfN with sudo
auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
description: |
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
supported_platforms:
- macos
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
type: string
default: en0
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_macos_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -f -i #{ifname} -t 3
cleanup_command: |
rm -f #{program_path}
name: bash
elevation_required: true
- name: Packet Capture FreeBSD using /dev/bpfN with sudo
auto_generated_guid: e2028771-1bfb-48f5-b5e6-e50ee0942a14
description: |
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
supported_platforms:
- linux
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
type: string
default: em0
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_freebsd_pcapdemo
dependency_executor_name: sh
dependencies:
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -i #{ifname} -t 3
cleanup_command: |
rm -f #{program_path}
name: sh
elevation_required: true
- name: Filtered Packet Capture FreeBSD using /dev/bpfN with sudo
auto_generated_guid: a3a0d4c9-c068-4563-a08d-583bd05b884c
description: |
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
supported_platforms:
- linux
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
type: string
default: em0
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/freebsd_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_freebsd_pcapdemo
dependency_executor_name: sh
dependencies:
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -f -i #{ifname} -t 3
cleanup_command: |
rm -f #{program_path}
name: sh
elevation_required: true
- name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with sudo
auto_generated_guid: 10c710c9-9104-4d5f-8829-5b65391e2a29
description: |
Captures packets with domain=AF_PACKET, type=SOCK_RAW for a few seconds.
supported_platforms:
- linux
input_arguments:
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -a -t 3
cleanup_command: |
rm -f #{program_path}
name: bash
elevation_required: true
- name: Packet Capture Linux socket AF_INET,SOCK_RAW,TCP with sudo
auto_generated_guid: 7a0895f0-84c1-4adf-8491-a21510b1d4c1
description: |
Captures packets with domain=AF_INET,type=SOCK_RAW,protocol=TCP for a few seconds.
supported_platforms:
- linux
input_arguments:
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -4 -p 6 -t 3
cleanup_command: |
rm -f #{program_path}
name: bash
elevation_required: true
- name: Packet Capture Linux socket AF_INET,SOCK_PACKET,UDP with sudo
auto_generated_guid: 515575ab-d213-42b1-aa64-ef6a2dd4641b
description: |
Captures packets with domain=AF_INET,type=SOCK_PACKET,protocol=UDP for a few seconds.
SOCK_PACKET is "obsolete" according to the man page, but still works on Ubuntu 20.04
supported_platforms:
- linux
input_arguments:
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -4 -P -p 17 -t 3
cleanup_command: |
rm -f #{program_path}
name: bash
elevation_required: true
- name: Packet Capture Linux socket AF_PACKET,SOCK_RAW with BPF filter for UDP with sudo
auto_generated_guid: b1cbdf8b-6078-48f5-a890-11ea19d7f8e9
description: |
Captures packets with domain=AF_PACKET,type=SOCK_RAW for a few seconds.
Sets a BPF filter on the socket to filter for UDP traffic.
supported_platforms:
- linux
input_arguments:
csource_path:
description: Path to C program source
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -a -f -t 3
cleanup_command: |
rm -f #{program_path}
name: bash
elevation_required: true
- name: PowerShell Network Sniffing
auto_generated_guid: 9c15a7de-de14-46c3-bc2a-6d94130986ae
description: |-
PowerShell Built-in Cmdlets to capture network traffic.
https://learn.microsoft.com/en-us/powershell/module/neteventpacketcapture/new-neteventsession?view=windowsserver2022-ps
supported_platforms:
- windows
executor:
command: |
New-NetEventSession -Name Capture007 -LocalFilePath "$ENV:Temp\sniff.etl"
Add-NetEventPacketCaptureProvider -SessionName Capture007 -TruncationLength 100
Start-NetEventSession -Name Capture007
Stop-NetEventSession -Name Capture007
Remove-NetEventSession -Name Capture007
cleanup_command: |-
del $ENV:Temp\sniff.etl
name: powershell
elevation_required: true
Reference in New Issue View Git Blame Copy Permalink