security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
a0d3b4bd233c2f2f475f17199f9f4d1b1670ea1e
sigma-rules/rta/enum_commands.py
T
Ross Wolf a0d3b4bd23 Populate RTA directory. 
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-Authored-By: Daniel Stepanic <57736958+dstepanic17@users.noreply.github.com>
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com>
Co-Authored-By: Joe Desimone <56411054+joe-desimone@users.noreply.github.com>
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com>
2020-06-29 23:07:18 -06:00

74 lines
2.2 KiB
Python
Raw Blame History

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License;
# you may not use this file except in compliance with the Elastic License.
# Name: Common Enumeration Commands
# RTA: enum_commands.py
# ATT&CK: T1007, T1016, T1018, T1035, T1049, T1057, T1063, T1069, T1077, T1082, T1087, T1124, T1135
# Description: Executes a list of administration tools commonly used by attackers for enumeration.
import argparse
import random
from . import common
@common.requires_os(common.WINDOWS)
def main(args=None):
slow_commands = [
"gpresult.exe /z",
"systeminfo.exe"
]
commands = [
"ipconfig /all",
"net localgroup administrators",
"net user",
"net user administrator",
"net user /domain"
"tasklist",
"net view",
"net view /domain",
"net view \\\\%s" % common.get_ip(),
"netstat -nao",
"whoami",
"hostname",
"net start",
"tasklist /svc",
"net time \\\\%s" % common.get_ip(),
"net use",
"net view",
"net start",
"net accounts",
"net localgroup",
"net group",
"net group \"Domain Admins\" /domain",
"net share",
"net config workstation",
]
commands.extend(slow_commands)
parser = argparse.ArgumentParser()
parser.add_argument('-s', '--sample', dest="sample", default=len(commands), type=int,
help="Number of commands to run, choosen at random from the list of enumeration commands")
args = parser.parse_args(args)
sample = min(len(commands), args.sample)
if sample < len(commands):
random.shuffle(commands)
common.log("Running {} out of {} enumeration commands\n".format(sample, len(commands)))
for command in commands[0:sample]:
common.log("About to call {}".format(command))
if command in slow_commands:
common.execute(command, kill=True, timeout=15)
common.log("[output surpressed]", log_type='-')
else:
common.execute(command)
if __name__ == "__main__":
exit(main())
Reference in New Issue View Git Blame Copy Permalink