diff --git a/atomics/T1035/T1035.yaml b/atomics/T1035/T1035.yaml index e42c32fa..3a140fb5 100644 --- a/atomics/T1035/T1035.yaml +++ b/atomics/T1035/T1035.yaml @@ -5,22 +5,18 @@ display_name: Service Execution atomic_tests: - name: Execute a Command as a Service description: | - Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. - + Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. supported_platforms: - windows - input_arguments: service_name: description: Name of service to create type: string default: ARTService - executable_command: description: Command to execute as a service type: string default: "%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\\art-marker.txt" - executor: name: command_prompt elevation_required: true @@ -28,3 +24,26 @@ atomic_tests: sc.exe create #{service_name} binPath= #{executable_command} sc.exe start #{service_name} sc.exe delete #{service_name} + +- name: Use PsExec to execute a command on a remote host + description: | + Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments + Will run a command on a remote host + supported_platforms: + - windows + input_arguments: + psexec_path: + description: Path to PsExec + type: string + default: "C:\\PSTools\\PsExec.exe" + remote_host: + description: Remote hostname or IP address + type: string + default: localhost + executor: + name: powershell + elevation_required: false + prereq_command: | + if(Test-Path #{psexec_path}) {0} else {1} + command: | + #{psexec_path} \\#{remote_host} "C:\Windows\System32\calc.exe"