From d0b51ff08ad90c7ad170b79dec79ee2e87916e11 Mon Sep 17 00:00:00 2001
From: Brian Thacker <neillthacker101@gmail.com>
Date: Tue, 17 Nov 2020 20:29:55 -0600
Subject: [PATCH] T1016 qakbot addition (#1288)

* Create qakbot.bat

* Update T1016.yaml

Recon commands believed to be associated with Qakbot reconnaissance techniques.
https://hybrid-analysis.com/sample/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/5f63d0b54f389a2d7573a8ce
https://www.virustotal.com/gui/file/fcdfd33bebc7a7fe02854ecb60aa17bf0bd85d0b78cc5bc07ceb93a5116639cd/detection

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1016/T1016.yaml     | 14 +++++++++++++-
 atomics/T1016/src/qakbot.bat | 10 ++++++++++
 2 files changed, 23 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1016/src/qakbot.bat

diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml
index 6ddbb101..e6522970 100644
--- a/atomics/T1016/T1016.yaml
+++ b/atomics/T1016/T1016.yaml
@@ -147,4 +147,16 @@ atomic_tests:
       #{adfind_path} -f (objectcategory=subnet)
     name: command_prompt
 
-
+- name: Qakbot Recon
+  description: A list of commands known to be performed by Qakbot for recon purposes
+  supported_platforms:
+  - windows
+  input_arguments:
+    recon_commands:
+      description: File that houses list of commands to be executed
+      type: Path
+      default: PathToAtomicsFolder\T1016\src\qakbot.bat
+  executor:
+    command: |
+      #{recon_commands}
+    name: command_prompt
diff --git a/atomics/T1016/src/qakbot.bat b/atomics/T1016/src/qakbot.bat
new file mode 100644
index 00000000..3c02ae0b
--- /dev/null
+++ b/atomics/T1016/src/qakbot.bat
@@ -0,0 +1,10 @@
+whoami /all
+cmd /c set
+arp -a
+ipconfig /all
+net view /all
+nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP
+net share
+route print
+netstat -nao
+net localgroup