diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c9838c95..5ae1b775 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -842,6 +842,7 @@ discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory D
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
+discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6d78edf8..f02d0529 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -560,6 +560,7 @@ discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa
discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
+discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 86c6e083..fd14f63c 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1359,6 +1359,7 @@
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
- Atomic Test #13: Remote System Discovery - ip route [linux]
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
+ - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 71ba1749..be0fab5e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -958,6 +958,7 @@
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
+ - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7e4cffcb..84705ffa 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -57017,6 +57017,34 @@ discovery:
'
name: sh
+ - name: Enumerate domain computers within Active Directory using DirectorySearcher
+ auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
+ description: "This test is a Powershell script that enumerates Active Directory
+ to determine computers that are joined to the domain. \nThis test is designed
+ to mimic how SessionGopher can determine the additional systems within a domain,
+ which has been used before by threat actors to aid in lateral movement. \nReference:
+ [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
+ \nUpon successful execution, this test will output the names of the computers
+ that reside on the domain to the console window. \n"
+ supported_platforms:
+ - windows
+ dependency_executor_name: powershell
+ dependencies:
+ - description: This PC must be joined to a domain.
+ prereq_command: "if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain
+ -eq $true) {exit 0} else {exit 1}\t\t"
+ get_prereq_command: 'write-host "This PC must be manually added to a domain." '
+ executor:
+ command: |
+ $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+ $DirectorySearcher.PropertiesToLoad.Add("Name")
+ $Computers = $DirectorySearcher.findall()
+ foreach ($Computer in $Computers) {
+ $Computer = $Computer.Properties.name
+ if (!$Computer) { Continue }
+ Write-Host $Computer}
+ name: powershell
+ elevation_required: false
T1518.001:
technique:
id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 619d609a..cb53f87d 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -34,6 +34,8 @@ Specific to macOS, the bonjour protocol exists to discover addition
- [Atomic Test #14 - Remote System Discovery - ip tcp_metrics](#atomic-test-14---remote-system-discovery---ip-tcp_metrics)
+- [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
+
@@ -583,4 +585,53 @@ apt-get install iproute2 -y
+
+
+
+## Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher
+This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain.
+This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement.
+Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
+Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 962a6017-1c09-45a6-880b-adc9c57cb22e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+$DirectorySearcher.PropertiesToLoad.Add("Name")
+$Computers = $DirectorySearcher.findall()
+foreach ($Computer in $Computers) {
+ $Computer = $Computer.Properties.name
+ if (!$Computer) { Continue }
+ Write-Host $Computer}
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: This PC must be joined to a domain.
+##### Check Prereq Commands:
+```powershell
+if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "This PC must be manually added to a domain."
+```
+
+
+
+