T1016 qakbot addition (#1288)

* Create qakbot.bat

* Update T1016.yaml

Recon commands believed to be associated with Qakbot reconnaissance techniques.
https://hybrid-analysis.com/sample/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/5f63d0b54f389a2d7573a8ce
https://www.virustotal.com/gui/file/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/detection

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>

atomics/T1016/T1016.yaml

@@ -147,4 +147,16 @@ atomic_tests:
       #{adfind_path} -f (objectcategory=subnet)
     name: command_prompt
 
-
+- name: Qakbot Recon
+  description: A list of commands known to be performed by Qakbot for recon purposes
+  supported_platforms:
+  - windows
+  input_arguments:
+    recon_commands:
+      description: File that houses list of commands to be executed
+      type: Path
+      default: PathToAtomicsFolder\T1016\src\qakbot.bat
+  executor:
+    command: |
+      #{recon_commands}
+    name: command_prompt

atomics/T1016/src/qakbot.bat

@@ -0,0 +1,10 @@
+whoami /all
+cmd /c set
+arp -a
+ipconfig /all
+net view /all
+nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
+net share
+route print
+netstat -nao
+net localgroup