Atomic Red Team doc generator
138 lines
5.0 KiB
YAML
138 lines
5.0 KiB
YAML
attack_technique: T1049
|
|
display_name: System Network Connections Discovery
|
|
atomic_tests:
|
|
- name: System Network Connections Discovery
|
|
auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5
|
|
description: |
|
|
Get a listing of network connections.
|
|
|
|
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
|
|
elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
netstat -ano
|
|
net use
|
|
net sessions 2>nul
|
|
name: command_prompt
|
|
- name: System Network Connections Discovery with PowerShell
|
|
auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
|
|
description: |
|
|
Get a listing of network connections.
|
|
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
command: |
|
|
Get-NetTCPConnection
|
|
name: powershell
|
|
|
|
- name: System Network Connections Discovery via PowerShell (Process Mapping)
|
|
auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5
|
|
description: |
|
|
Enumerate TCP connections and map to owning process names via PowerShell.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
Get-NetTCPConnection | ForEach-Object {
|
|
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
|
|
[pscustomobject]@{
|
|
Local = "$($_.LocalAddress):$($_.LocalPort)"
|
|
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
|
|
State = $_.State
|
|
PID = $_.OwningProcess
|
|
Process = if ($p) { $p.ProcessName } else { $null }
|
|
}
|
|
} | Sort-Object State,Process | Format-Table -AutoSize
|
|
|
|
- name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
|
|
auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
|
|
description: |
|
|
List active TCP/UDP network connections using ss, with lsof as a fallback
|
|
when ss is unavailable. Serves as an alternative to the netstat-based test.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
executor:
|
|
name: bash
|
|
command: |
|
|
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
|
|
|
|
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
|
|
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
|
|
description: |
|
|
Get a listing of network connections.
|
|
|
|
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
|
|
supported_platforms:
|
|
- linux
|
|
- macos
|
|
dependency_executor_name: sh
|
|
dependencies:
|
|
- description: |
|
|
Check if netstat command exists on the machine
|
|
prereq_command: |
|
|
if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
|
|
get_prereq_command: |
|
|
echo "Install netstat on the machine."; exit 1;
|
|
executor:
|
|
command: |
|
|
netstat
|
|
who -a
|
|
name: sh
|
|
|
|
- name: System Network Connections Discovery via sockstat (Linux, FreeBSD)
|
|
auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b
|
|
description: |
|
|
Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
sockstat -4
|
|
sockstat -6 2>/dev/null || true
|
|
sockstat -l 2>/dev/null || true
|
|
|
|
- name: System Discovery using SharpView
|
|
auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
|
|
description: |
|
|
Get a listing of network connections, domains, domain users, and etc.
|
|
sharpview.exe located in the bin folder, an opensource red-team tool.
|
|
Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
SharpView_url:
|
|
description: sharpview download URL
|
|
type: url
|
|
default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true
|
|
SharpView:
|
|
description: Path of the executable opensource redteam tool used for the performing this atomic.
|
|
type: path
|
|
default: PathToAtomicsFolder\..\ExternalPayloads\SharpView.exe
|
|
syntax:
|
|
description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.
|
|
type: string
|
|
default: |
|
|
"Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare"
|
|
dependency_executor_name: powershell
|
|
dependencies:
|
|
- description: |
|
|
Sharpview.exe must exist on disk at specified location (#{SharpView})
|
|
prereq_command: |
|
|
if (Test-Path "#{SharpView}") {exit 0} else {exit 1}
|
|
get_prereq_command: |
|
|
New-Item -Type Directory (split-path "#{SharpView}") -ErrorAction ignore | Out-Null
|
|
Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
$syntaxList = #{syntax}
|
|
foreach ($syntax in $syntaxList) {
|
|
#{SharpView} $syntax -}
|