From 4c3e2c3d83a79c1f92c183e473125ca4fc635eef Mon Sep 17 00:00:00 2001
From: Tony M Lambert <ForensicITGuy@users.noreply.github.com>
Date: Wed, 20 Nov 2019 16:34:54 -0600
Subject: [PATCH] T1018 Test for DC discovery with nltest (#678)

* T1018 Discover DCs with nltest

* Generate docs from job=validate_atomics_generate_docs branch=t1018-nltest-dclist
---
 atomics/T1018/T1018.md   | 43 ++++++++++++++++++++++++++++++----------
 atomics/T1018/T1018.yaml | 19 ++++++++++++++++++
 atomics/index.md         | 11 +++++-----
 atomics/index.yaml       | 17 ++++++++++++++++
 atomics/linux-index.md   |  4 ++--
 atomics/macos-index.md   |  4 ++--
 atomics/windows-index.md |  7 ++++---
 7 files changed, 83 insertions(+), 22 deletions(-)

diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 3abc6b89..c136971d 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -23,15 +23,17 @@ In cloud environments, the above techniques may be used to discover remote syste
 
 - [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)
 
-- [Atomic Test #2 - Remote System Discovery - ping sweep](#atomic-test-2---remote-system-discovery---ping-sweep)
+- [Atomic Test #2 - Remote System Discovery - nltest](#atomic-test-2---remote-system-discovery---nltest)
 
-- [Atomic Test #3 - Remote System Discovery - arp](#atomic-test-3---remote-system-discovery---arp)
+- [Atomic Test #3 - Remote System Discovery - ping sweep](#atomic-test-3---remote-system-discovery---ping-sweep)
 
-- [Atomic Test #4 - Remote System Discovery - arp nix](#atomic-test-4---remote-system-discovery---arp-nix)
+- [Atomic Test #4 - Remote System Discovery - arp](#atomic-test-4---remote-system-discovery---arp)
 
-- [Atomic Test #5 - Remote System Discovery - sweep](#atomic-test-5---remote-system-discovery---sweep)
+- [Atomic Test #5 - Remote System Discovery - arp nix](#atomic-test-5---remote-system-discovery---arp-nix)
 
-- [Atomic Test #6 - Remote System Discovery - nslookup](#atomic-test-6---remote-system-discovery---nslookup)
+- [Atomic Test #6 - Remote System Discovery - sweep](#atomic-test-6---remote-system-discovery---sweep)
+
+- [Atomic Test #7 - Remote System Discovery - nslookup](#atomic-test-7---remote-system-discovery---nslookup)
 
 
 <br/>
@@ -53,7 +55,28 @@ net view
 <br/>
 <br/>
 
-## Atomic Test #2 - Remote System Discovery - ping sweep
+## Atomic Test #2 - Remote System Discovery - nltest
+Identify domain controllers for specified domain.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| target_domain | Domain to query for domain controllers | String | domain.local|
+
+#### Run it with `command_prompt`! 
+```
+nltest.exe /dclist:#{target_domain}
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Remote System Discovery - ping sweep
 Identify remote systems via ping sweep
 
 **Supported Platforms:** Windows
@@ -69,7 +92,7 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
 <br/>
 <br/>
 
-## Atomic Test #3 - Remote System Discovery - arp
+## Atomic Test #4 - Remote System Discovery - arp
 Identify remote systems via arp
 
 **Supported Platforms:** Windows
@@ -85,7 +108,7 @@ arp -a
 <br/>
 <br/>
 
-## Atomic Test #4 - Remote System Discovery - arp nix
+## Atomic Test #5 - Remote System Discovery - arp nix
 Identify remote systems via arp
 
 **Supported Platforms:** Linux, macOS
@@ -101,7 +124,7 @@ arp -a | grep -v '^?'
 <br/>
 <br/>
 
-## Atomic Test #5 - Remote System Discovery - sweep
+## Atomic Test #6 - Remote System Discovery - sweep
 Identify remote systems via ping sweep
 
 **Supported Platforms:** Linux, macOS
@@ -117,7 +140,7 @@ for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ] && echo "192.16
 <br/>
 <br/>
 
-## Atomic Test #6 - Remote System Discovery - nslookup
+## Atomic Test #7 - Remote System Discovery - nslookup
 Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig
 
 **Supported Platforms:** Windows
diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 951e104a..2f9c5f1e 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -17,6 +17,25 @@ atomic_tests:
       net view /domain
       net view
 
+- name: Remote System Discovery - nltest
+  description: |
+    Identify domain controllers for specified domain.
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    target_domain:
+      description: Domain to query for domain controllers
+      type: String
+      default: domain.local
+
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      nltest.exe /dclist:#{target_domain}
+
 - name: Remote System Discovery - ping sweep
   description: |
     Identify remote systems via ping sweep
diff --git a/atomics/index.md b/atomics/index.md
index 8d6acbbd..769a9745 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -580,11 +580,12 @@
   - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
   - Atomic Test #1: Remote System Discovery - net [windows]
-  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
-  - Atomic Test #3: Remote System Discovery - arp [windows]
-  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
-  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
-  - Atomic Test #6: Remote System Discovery - nslookup [windows]
+  - Atomic Test #2: Remote System Discovery - nltest [windows]
+  - Atomic Test #3: Remote System Discovery - ping sweep [windows]
+  - Atomic Test #4: Remote System Discovery - arp [windows]
+  - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+  - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #7: Remote System Discovery - nslookup [windows]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index 93b3bd8c..e4e73406 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -16893,6 +16893,23 @@ discovery:
         command: |
           net view /domain
           net view
+    - name: Remote System Discovery - nltest
+      description: 'Identify domain controllers for specified domain.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        target_domain:
+          description: Domain to query for domain controllers
+          type: String
+          default: domain.local
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'nltest.exe /dclist:#{target_domain}
+
+'
     - name: Remote System Discovery - ping sweep
       description: 'Identify remote systems via ping sweep
 
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 3c5e581e..bad9ad02 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -94,8 +94,8 @@
 - [T1057 Process Discovery](./T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
-  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
-  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+  - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
 - [T1518 Software Discovery](./T1518/T1518.md)
 - [T1082 System Information Discovery](./T1082/T1082.md)
   - Atomic Test #2: System Information Discovery [linux, macos]
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index 48afb3df..0d1b79bb 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -106,8 +106,8 @@
 - [T1057 Process Discovery](./T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, centos, ubuntu, linux]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
-  - Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
-  - Atomic Test #5: Remote System Discovery - sweep [linux, macos]
+  - Atomic Test #5: Remote System Discovery - arp nix [linux, macos]
+  - Atomic Test #6: Remote System Discovery - sweep [linux, macos]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
   - Atomic Test #3: Security Software Discovery - ps [linux, macos]
 - [T1518 Software Discovery](./T1518/T1518.md)
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 1ad15eaf..126d2809 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -408,9 +408,10 @@
   - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](./T1018/T1018.md)
   - Atomic Test #1: Remote System Discovery - net [windows]
-  - Atomic Test #2: Remote System Discovery - ping sweep [windows]
-  - Atomic Test #3: Remote System Discovery - arp [windows]
-  - Atomic Test #6: Remote System Discovery - nslookup [windows]
+  - Atomic Test #2: Remote System Discovery - nltest [windows]
+  - Atomic Test #3: Remote System Discovery - ping sweep [windows]
+  - Atomic Test #4: Remote System Discovery - arp [windows]
+  - Atomic Test #7: Remote System Discovery - nslookup [windows]
 - [T1063 Security Software Discovery](./T1063/T1063.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]