Hare Sudhan
91 lines
3.2 KiB
YAML
91 lines
3.2 KiB
YAML
attack_technique: T1049
|
|
display_name: System Network Connections Discovery
|
|
atomic_tests:
|
|
- name: System Network Connections Discovery
|
|
auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5
|
|
description: |
|
|
Get a listing of network connections.
|
|
|
|
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
netstat
|
|
net use
|
|
net sessions
|
|
name: command_prompt
|
|
- name: System Network Connections Discovery with PowerShell
|
|
auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
|
|
description: |
|
|
Get a listing of network connections.
|
|
|
|
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Get-NetTCPConnection
|
|
name: powershell
|
|
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
|
|
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
|
|
description: |
|
|
Get a listing of network connections.
|
|
|
|
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if netstat command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
echo "Install netstat on the machine."; exit 1;
|
|
executor:
|
|
command: |
|
|
netstat
|
|
who -a
|
|
name: sh
|
|
|
|
- name: System Discovery using SharpView
|
|
auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
|
|
description: |
|
|
Get a listing of network connections, domains, domain users, and etc.
|
|
sharpview.exe located in the bin folder, an opensource red-team tool.
|
|
Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
SharpView_url:
|
|
description: sharpview download URL
|
|
type: url
|
|
default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true
|
|
SharpView:
|
|
description: Path of the executable opensource redteam tool used for the performing this atomic.
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\SharpView.exe
|
|
syntax:
|
|
description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.
|
|
type: string
|
|
default: |
|
|
"Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare"
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Sharpview.exe must exist on disk at specified location (#{SharpView})
|
|
prereq_command: |
|
|
if (Test-Path "#{SharpView}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{SharpView}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
$syntaxList = #{syntax}
|
|
foreach ($syntax in $syntaxList) {
|
|
#{SharpView} $syntax -}
|