From fa8b76090aa77ef344c143e2c518d44ebb278bea Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 8 Feb 2022 16:35:03 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 28 ++++++++++
 atomics/T1018/T1018.md                        | 51 +++++++++++++++++++
 6 files changed, 83 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c9838c95..5ae1b775 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -842,6 +842,7 @@ discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory D
 discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
+discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 6d78edf8..f02d0529 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -560,6 +560,7 @@ discovery,T1018,Remote System Discovery,8,Remote System Discovery - nslookup,baa
 discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,95e19466-469e-4316-86d2-1dc401b5a959,command_prompt
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
+discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 86c6e083..fd14f63c 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1359,6 +1359,7 @@
   - Atomic Test #12: Remote System Discovery - ip neighbour [linux]
   - Atomic Test #13: Remote System Discovery - ip route [linux]
   - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
+  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 71ba1749..be0fab5e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -958,6 +958,7 @@
   - Atomic Test #9: Remote System Discovery - adidnsdump [windows]
   - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
   - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
+  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7e4cffcb..84705ffa 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -57017,6 +57017,34 @@ discovery:
 
 '
         name: sh
+    - name: Enumerate domain computers within Active Directory using DirectorySearcher
+      auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
+      description: "This test is a Powershell script that enumerates Active Directory
+        to determine computers that are joined to the domain. \nThis test is designed
+        to mimic how SessionGopher can determine the additional systems within a domain,
+        which has been used before by threat actors to aid in lateral movement. \nReference:
+        [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
+        \nUpon successful execution, this test will output the names of the computers
+        that reside on the domain to the console window. \n"
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: This PC must be joined to a domain.
+        prereq_command: "if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain
+          -eq $true) {exit 0} else {exit 1}\t\t"
+        get_prereq_command: 'write-host "This PC must be manually added to a domain." '
+      executor:
+        command: |
+          $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+          $DirectorySearcher.PropertiesToLoad.Add("Name")
+          $Computers = $DirectorySearcher.findall()
+          foreach ($Computer in $Computers) {
+            $Computer = $Computer.Properties.name
+            if (!$Computer) { Continue }
+            Write-Host $Computer}
+        name: powershell
+        elevation_required: false
   T1518.001:
     technique:
       id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 619d609a..cb53f87d 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -34,6 +34,8 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition
 
 - [Atomic Test #14 - Remote System Discovery - ip tcp_metrics](#atomic-test-14---remote-system-discovery---ip-tcp_metrics)
 
+- [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
+
 
 <br/>
 
@@ -583,4 +585,53 @@ apt-get install iproute2 -y
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher
+This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. 
+This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. 
+Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks). 
+Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 962a6017-1c09-45a6-880b-adc9c57cb22e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
+$DirectorySearcher.PropertiesToLoad.Add("Name")
+$Computers = $DirectorySearcher.findall()
+foreach ($Computer in $Computers) {
+  $Computer = $Computer.Properties.name
+  if (!$Computer) { Continue }
+  Write-Host $Computer}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: This PC must be joined to a domain.
+##### Check Prereq Commands:
+```powershell
+if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+write-host "This PC must be manually added to a domain."
+```
+
+
+
+
 <br/>