Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-
Atomic Test #1 - System Network Configuration Discovery on Windows
-
Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
-
Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
Supported Platforms: Windows
ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
Supported Platforms: Windows
netsh advfirewall firewall show rule name=all
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
Supported Platforms: macOS, Linux
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn ipconfig /all
, net config workstation
, net view /all /domain
, nltest /domain_trusts
. Output will be via stdout.
Supported Platforms: Windows
ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts
This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt |
portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt |
port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | Path | PathToAtomicsFolder\T1016\src\top-128.txt |
$ports = Get-content #{port_file}
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
$test = new-object system.Net.Sockets.TcpClient
$wait = $test.beginConnect("allports.exposed", $port, $null, $null)
$wait.asyncwaithandle.waitone(250, $false) | Out-Null
$totalports++ | Out-Null
if ($test.Connected) {
$result = "$port open"
Write-Host -ForegroundColor Green $result
$result | Out-File -Encoding ASCII -append $file
$totalopen++ | Out-Null
}
else {
$result = "$port closed"
Write-Host -ForegroundColor Red $result
$totalclosed++ | Out-Null
$result | Out-File -Encoding ASCII -append $file
}
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results
Remove-Item -ErrorAction ignore "#{output_file}"
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe |
#{adfind_path} -f (objectcategory=subnet)
if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
A list of commands known to be performed by Qakbot for recon purposes
Supported Platforms: Windows
Name | Description | Type | Default Value |
---|---|---|---|
recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder\T1016\src\qakbot.bat |
#{recon_commands}