From 29063f5306e340e8f6754b45aff741c871b45878 Mon Sep 17 00:00:00 2001 From: Darin Manley Date: Mon, 20 Mar 2023 12:38:17 -0700 Subject: [PATCH] Added RemCom to execute a command on a remote host (#2380) * Added RemCom to execute a command on a remote host * Update T1569.002.yaml --------- Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1569.002/T1569.002.yaml | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/atomics/T1569.002/T1569.002.yaml b/atomics/T1569.002/T1569.002.yaml index 7e906f35..58cc88c8 100644 --- a/atomics/T1569.002/T1569.002.yaml +++ b/atomics/T1569.002/T1569.002.yaml @@ -140,3 +140,40 @@ atomic_tests: rm $env:temp\psexec.exe name: powershell elevation_required: true + +- name: Use RemCom to execute a command on a remote host + description: | + Requires having RemCom installed, path to RemCom is one of the input input_arguments + Will start a process on a remote host. + Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost). + supported_platforms: + - windows + input_arguments: + remote_host: + description: Remote hostname or IP address + type: string + default: localhost + user_name: + description: Username + type: string + default: Administrator + password: + description: Password + type: string + default: P@ssw0rd1 + remcom_exe: + description: Path to RemCom + type: string + default: $pathtoatomicsfolder\T1569.002\bin\remcom.exe + dependency_executor_name: powershell + dependencies: + - description: | + RemCom tool must exist on disk at specified location (#{remcom_exe}) + prereq_command: | + if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1} + get_prereq_command: | + Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}" + executor: + command: | + "#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe + name: command_prompt