Skip to content

Latest commit

 

History

History
416 lines (215 loc) · 10.4 KB

T1018.md

File metadata and controls

416 lines (215 loc) · 10.4 KB
Raw

T1018 - Remote System Discovery

Description from ATT&CK

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems.

Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.

Atomic Tests


Atomic Test #1 - Remote System Discovery - net

Identify remote systems with net.exe.

Upon successful execution, cmd.exe will execute net.exe view and display results of local systems on the network that have file and print sharing enabled.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net view /domain
net view


Atomic Test #2 - Remote System Discovery - net group Domain Computers

Identify remote systems with net.exe querying the Active Directory Domain Computers group.

Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

net group "Domain Computers" /domain


Atomic Test #3 - Remote System Discovery - nltest

Identify domain controllers for specified domain.

Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
target_domain Domain to query for domain controllers String domain.local

Attack Commands: Run with command_prompt!

nltest.exe /dclist:#{target_domain}


Atomic Test #4 - Remote System Discovery - ping sweep

Identify remote systems via ping sweep.

Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i


Atomic Test #5 - Remote System Discovery - arp

Identify remote systems via arp.

Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

arp -a


Atomic Test #6 - Remote System Discovery - arp nix

Identify remote systems via arp.

Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.

Supported Platforms: Linux, macOS

Attack Commands: Run with sh!

arp -a | grep -v '^?'

Dependencies: Run with sh!

Description: Check if arp command exists on the machine
Check Prereq Commands:
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
Get Prereq Commands:
echo "Install arp on the machine."; exit 1;


Atomic Test #7 - Remote System Discovery - sweep

Identify remote systems via ping sweep.

Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.

Supported Platforms: Linux, macOS

Inputs:

Name Description Type Default Value
start_host Subnet used for ping sweep. string 1
stop_host Subnet used for ping sweep. string 254
subnet Subnet used for ping sweep. string 192.168.1

Attack Commands: Run with sh!

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done


Atomic Test #8 - Remote System Discovery - nslookup

Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.

Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}


Atomic Test #9 - Remote System Discovery - adidnsdump

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_name username including domain. string domain\user
acct_pass Account password. string password
host_name hostname or ip address to connect to. string 192.168.1.1

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

Dependencies: Run with powershell!

Description: Computer must have python 3 installed
Check Prereq Commands:
if (python --version) {exit 0} else {exit 1}
Get Prereq Commands:
echo "Python 3 must be installed manually"
Description: Computer must have pip installed
Check Prereq Commands:
if (pip3 -V) {exit 0} else {exit 1}
Get Prereq Commands:
echo "PIP must be installed manually"
Description: adidnsdump must be installed and part of PATH
Check Prereq Commands:
if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
Get Prereq Commands:
pip3 install adidnsdump


Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adfind_path Path to the AdFind executable Path PathToAtomicsFolder\T1087.002\src\AdFind.exe

Attack Commands: Run with command_prompt!

#{adfind_path} -f (objectcategory=computer)

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}


Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
adfind_path Path to the AdFind executable Path PathToAtomicsFolder\T1087.002\src\AdFind.exe

Attack Commands: Run with command_prompt!

#{adfind_path} -sc dclist

Dependencies: Run with powershell!

Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
Check Prereq Commands:
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}