T1018 Test for DC discovery with nltest (#678)

* T1018 Discover DCs with nltest * Generate docs from job=validate_atomics_generate_docs branch=t1018-nltest-dclist
2019-11-20 16:34:54 -06:00
parent 713215eaf7
commit 4c3e2c3d83
7 changed files with 83 additions and 22 deletions
@@ -23,15 +23,17 @@ In cloud environments, the above techniques may be used to discover remote syste

 - [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)

- [Atomic Test #2 - Remote System Discovery - ping sweep](#atomic-test-2---remote-system-discovery---ping-sweep)
+- [Atomic Test #2 - Remote System Discovery - nltest](#atomic-test-2---remote-system-discovery---nltest)

- [Atomic Test #3 - Remote System Discovery - arp](#atomic-test-3---remote-system-discovery---arp)
+- [Atomic Test #3 - Remote System Discovery - ping sweep](#atomic-test-3---remote-system-discovery---ping-sweep)

- [Atomic Test #4 - Remote System Discovery - arp nix](#atomic-test-4---remote-system-discovery---arp-nix)
+- [Atomic Test #4 - Remote System Discovery - arp](#atomic-test-4---remote-system-discovery---arp)

- [Atomic Test #5 - Remote System Discovery - sweep](#atomic-test-5---remote-system-discovery---sweep)
+- [Atomic Test #5 - Remote System Discovery - arp nix](#atomic-test-5---remote-system-discovery---arp-nix)

- [Atomic Test #6 - Remote System Discovery - nslookup](#atomic-test-6---remote-system-discovery---nslookup)
+- [Atomic Test #6 - Remote System Discovery - sweep](#atomic-test-6---remote-system-discovery---sweep)
+
+- [Atomic Test #7 - Remote System Discovery - nslookup](#atomic-test-7---remote-system-discovery---nslookup)


 <br/>
@@ -53,7 +55,28 @@ net view
 <br/>
 <br/>

-## Atomic Test #2 - Remote System Discovery - ping sweep
+## Atomic Test #2 - Remote System Discovery - nltest
+Identify domain controllers for specified domain.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_domain | Domain to query for domain controllers | String | domain.local|
+
+#### Run it with `command_prompt`! 
+```
+nltest.exe /dclist:#{target_domain}
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Remote System Discovery - ping sweep
 Identify remote systems via ping sweep

 **Supported Platforms:** Windows
@@ -69,7 +92,7 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
 <br/>
 <br/>

-## Atomic Test #3 - Remote System Discovery - arp
+## Atomic Test #4 - Remote System Discovery - arp
 Identify remote systems via arp

 **Supported Platforms:** Windows
@@ -85,7 +108,7 @@ arp -a
 <br/>
 <br/>

-## Atomic Test #4 - Remote System Discovery - arp nix
+## Atomic Test #5 - Remote System Discovery - arp nix
 Identify remote systems via arp

 **Supported Platforms:** Linux, macOS
@@ -101,7 +124,7 @@ arp -a | grep -v '^?'
 <br/>
 <br/>

-## Atomic Test #5 - Remote System Discovery - sweep
+## Atomic Test #6 - Remote System Discovery - sweep
 Identify remote systems via ping sweep

 **Supported Platforms:** Linux, macOS
@@ -117,7 +140,7 @@ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.16
 <br/>
 <br/>

-## Atomic Test #6 - Remote System Discovery - nslookup
+## Atomic Test #7 - Remote System Discovery - nslookup
 Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig

 **Supported Platforms:** Windows
@@ -17,6 +17,25 @@ atomic_tests:
      net view /domain
      net view

+- name: Remote System Discovery - nltest
+  description: |
+    Identify domain controllers for specified domain.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    target_domain:
+      description: Domain to query for domain controllers
+      type: String
+      default: domain.local
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      nltest.exe /dclist:#{target_domain}
+
 - name: Remote System Discovery - ping sweep
  description: |
    Identify remote systems via ping sweep
@@ -580,11 +580,12 @@
  - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
  - Atomic Test #1: Remote System Discovery - net [windows]
-  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
-  - Atomic Test #3: Remote System Discovery - arp [windows]
-  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
-  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
-  - Atomic Test #6: Remote System Discovery - nslookup [windows]
+  - Atomic Test #2: Remote System Discovery - nltest [windows]
+  - Atomic Test #3: Remote System Discovery - ping sweep [windows]
+  - Atomic Test #4: Remote System Discovery - arp [windows]
+  - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+  - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #7: Remote System Discovery - nslookup [windows]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -16893,6 +16893,23 @@ discovery:
        command: |
          net view /domain
          net view
+    - name: Remote System Discovery - nltest
+      description: 'Identify domain controllers for specified domain.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_domain:
+          description: Domain to query for domain controllers
+          type: String
+          default: domain.local
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'nltest.exe /dclist:#{target_domain}
+
+'
    - name: Remote System Discovery - ping sweep
      description: 'Identify remote systems via ping sweep

@@ -94,8 +94,8 @@
 - [T1057 Process Discovery](./T1057/T1057.md)
  - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
-  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
-  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+  - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
 - [T1518 Software Discovery](./T1518/T1518.md)
 - [T1082 System Information Discovery](./T1082/T1082.md)
  - Atomic Test #2: System Information Discovery [linux, macos]
@@ -106,8 +106,8 @@
 - [T1057 Process Discovery](./T1057/T1057.md)
  - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
-  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
-  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+  - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
  - Atomic Test #3: Security Software Discovery - ps [linux, macos]
 - [T1518 Software Discovery](./T1518/T1518.md)
@@ -408,9 +408,10 @@
  - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
  - Atomic Test #1: Remote System Discovery - net [windows]
-  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
-  - Atomic Test #3: Remote System Discovery - arp [windows]
-  - Atomic Test #6: Remote System Discovery - nslookup [windows]
+  - Atomic Test #2: Remote System Discovery - nltest [windows]
+  - Atomic Test #3: Remote System Discovery - ping sweep [windows]
+  - Atomic Test #4: Remote System Discovery - arp [windows]
+  - Atomic Test #7: Remote System Discovery - nslookup [windows]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]