security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1082/T1082.yaml
T
Carrie Roberts 1bfefdacfc Add elevated (#542) 
* provide elevation_required attribute

* provide elevation_required attribute

* provide elevation_required attribute
2019-09-03 07:34:42 -06:00

85 lines
2.2 KiB
YAML
Raw Blame History

---
attack_technique: T1082
display_name: System Information Discovery
atomic_tests:
- name: System Information Discovery
description: |
Identify System Info
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
- name: System Information Discovery
description: |
Identify System Info
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
systemsetup
system_profiler
ls -al /Applications
- name: List OS Information
description: |
Identify System Info
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
uptime >> /tmp/loot.txt
cat /etc/issue >> /tmp/loot.txt
- name: Linux VM Check via Hardware
description: |
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
supported_platforms:
- linux
executor:
name: bash
command: |
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"
cat /proc/scsi/scsi | grep -i "vmware\|vbox"
cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"
sudo lspci | grep -i "vmware\|virtualbox"
sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
- name: Linux VM Check via Kernel Modules
description: |
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
supported_platforms:
- linux
executor:
name: bash
command: |
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
Reference in New Issue View Git Blame Copy Permalink