From 69bacaa67421e1f5507ac93ef3b0307cf85d0de6 Mon Sep 17 00:00:00 2001
From: chris <chris@chdd.co.uk>
Date: Tue, 14 Dec 2021 12:11:21 +0000
Subject: [PATCH] T1018

---
 atomics/T1018/T1018.yaml | 58 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index ea2cdfed..7d107ac7 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -226,3 +226,61 @@ atomic_tests:
     command: |
       #{adfind_path} -sc dclist
     name: command_prompt
+
+- name: Remote System Discovery - ip neighbour
+  auto_generated_guid: 
+  description: |
+    Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if ip command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      apt-get install iproute2 -y
+  executor:
+    command: |
+      ip neighbour show
+    name: sh
+
+- name: Remote System Discovery - ip route
+  auto_generated_guid: 
+  description: |
+    Use the ip route command to display the kernels routing tables. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if ip command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      apt-get install iproute2 -y
+  executor:
+    command: |
+      ip route show
+    name: sh
+
+- name: Remote System Discovery - ip tcp_metrics
+  auto_generated_guid: 
+  description: |
+    Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses. 
+  supported_platforms:
+  - linux
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      Check if ip command exists on the machine
+    prereq_command: |
+      if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      apt-get install iproute2 -y
+  executor:
+    command: |
+      ip tcp_metrics show |grep --invert-match "^127\."
+    name: sh
+