diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 3abc6b89..c136971d 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -23,15 +23,17 @@ In cloud environments, the above techniques may be used to discover remote syste
- [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)
-- [Atomic Test #2 - Remote System Discovery - ping sweep](#atomic-test-2---remote-system-discovery---ping-sweep)
+- [Atomic Test #2 - Remote System Discovery - nltest](#atomic-test-2---remote-system-discovery---nltest)
-- [Atomic Test #3 - Remote System Discovery - arp](#atomic-test-3---remote-system-discovery---arp)
+- [Atomic Test #3 - Remote System Discovery - ping sweep](#atomic-test-3---remote-system-discovery---ping-sweep)
-- [Atomic Test #4 - Remote System Discovery - arp nix](#atomic-test-4---remote-system-discovery---arp-nix)
+- [Atomic Test #4 - Remote System Discovery - arp](#atomic-test-4---remote-system-discovery---arp)
-- [Atomic Test #5 - Remote System Discovery - sweep](#atomic-test-5---remote-system-discovery---sweep)
+- [Atomic Test #5 - Remote System Discovery - arp nix](#atomic-test-5---remote-system-discovery---arp-nix)
-- [Atomic Test #6 - Remote System Discovery - nslookup](#atomic-test-6---remote-system-discovery---nslookup)
+- [Atomic Test #6 - Remote System Discovery - sweep](#atomic-test-6---remote-system-discovery---sweep)
+
+- [Atomic Test #7 - Remote System Discovery - nslookup](#atomic-test-7---remote-system-discovery---nslookup)
@@ -53,7 +55,28 @@ net view
-## Atomic Test #2 - Remote System Discovery - ping sweep
+## Atomic Test #2 - Remote System Discovery - nltest
+Identify domain controllers for specified domain.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_domain | Domain to query for domain controllers | String | domain.local|
+
+#### Run it with `command_prompt`!
+```
+nltest.exe /dclist:#{target_domain}
+```
+
+
+
+
+
+
+## Atomic Test #3 - Remote System Discovery - ping sweep
Identify remote systems via ping sweep
**Supported Platforms:** Windows
@@ -69,7 +92,7 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
-## Atomic Test #3 - Remote System Discovery - arp
+## Atomic Test #4 - Remote System Discovery - arp
Identify remote systems via arp
**Supported Platforms:** Windows
@@ -85,7 +108,7 @@ arp -a
-## Atomic Test #4 - Remote System Discovery - arp nix
+## Atomic Test #5 - Remote System Discovery - arp nix
Identify remote systems via arp
**Supported Platforms:** Linux, macOS
@@ -101,7 +124,7 @@ arp -a | grep -v '^?'
-## Atomic Test #5 - Remote System Discovery - sweep
+## Atomic Test #6 - Remote System Discovery - sweep
Identify remote systems via ping sweep
**Supported Platforms:** Linux, macOS
@@ -117,7 +140,7 @@ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.16
-## Atomic Test #6 - Remote System Discovery - nslookup
+## Atomic Test #7 - Remote System Discovery - nslookup
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig
**Supported Platforms:** Windows
diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 951e104a..2f9c5f1e 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -17,6 +17,25 @@ atomic_tests:
net view /domain
net view
+- name: Remote System Discovery - nltest
+ description: |
+ Identify domain controllers for specified domain.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ target_domain:
+ description: Domain to query for domain controllers
+ type: String
+ default: domain.local
+
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: |
+ nltest.exe /dclist:#{target_domain}
+
- name: Remote System Discovery - ping sweep
description: |
Identify remote systems via ping sweep
diff --git a/atomics/index.md b/atomics/index.md
index 8d6acbbd..769a9745 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -580,11 +580,12 @@
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- - Atomic Test #2: Remote System Discovery - ping sweep [windows]
- - Atomic Test #3: Remote System Discovery - arp [windows]
- - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
- - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
- - Atomic Test #6: Remote System Discovery - nslookup [windows]
+ - Atomic Test #2: Remote System Discovery - nltest [windows]
+ - Atomic Test #3: Remote System Discovery - ping sweep [windows]
+ - Atomic Test #4: Remote System Discovery - arp [windows]
+ - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+ - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
+ - Atomic Test #7: Remote System Discovery - nslookup [windows]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 93b3bd8c..e4e73406 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -16893,6 +16893,23 @@ discovery:
command: |
net view /domain
net view
+ - name: Remote System Discovery - nltest
+ description: 'Identify domain controllers for specified domain.
+
+'
+ supported_platforms:
+ - windows
+ input_arguments:
+ target_domain:
+ description: Domain to query for domain controllers
+ type: String
+ default: domain.local
+ executor:
+ name: command_prompt
+ elevation_required: false
+ command: 'nltest.exe /dclist:#{target_domain}
+
+'
- name: Remote System Discovery - ping sweep
description: 'Identify remote systems via ping sweep
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 3c5e581e..bad9ad02 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -94,8 +94,8 @@
- [T1057 Process Discovery](./T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
- - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+ - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+ - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
- [T1518 Software Discovery](./T1518/T1518.md)
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 48afb3df..0d1b79bb 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -106,8 +106,8 @@
- [T1057 Process Discovery](./T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
- - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+ - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+ - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- [T1518 Software Discovery](./T1518/T1518.md)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 1ad15eaf..126d2809 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -408,9 +408,10 @@
- Atomic Test #1: Query Registry [windows]
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #1: Remote System Discovery - net [windows]
- - Atomic Test #2: Remote System Discovery - ping sweep [windows]
- - Atomic Test #3: Remote System Discovery - arp [windows]
- - Atomic Test #6: Remote System Discovery - nslookup [windows]
+ - Atomic Test #2: Remote System Discovery - nltest [windows]
+ - Atomic Test #3: Remote System Discovery - ping sweep [windows]
+ - Atomic Test #4: Remote System Discovery - arp [windows]
+ - Atomic Test #7: Remote System Discovery - nslookup [windows]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]