Generated docs from job=generate-docs branch=master [ci skip]

2023-03-20 19:39:02 +00:00
parent 8a83c877bb
commit 41355dea4e
9 changed files with 144 additions and 2 deletions
@@ -762,6 +762,7 @@ execution,T1569.002,System Services: Service Execution,1,Execute a Command as a
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,3,psexec.py (Impacket),edbcd8c9-3639-4844-afad-455c91e95a35,bash
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
+execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,2,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
@@ -550,6 +550,7 @@ execution,T1059.005,Command and Scripting Interpreter: Visual Basic,3,Extract Me
 execution,T1569.002,System Services: Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,System Services: Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
 execution,T1569.002,System Services: Service Execution,4,BlackCat pre-encryption cmds with Lateral Movement,31eb7828-97d7-4067-9c1e-c6feb85edc4b,powershell
+execution,T1569.002,System Services: Service Execution,5,Use RemCom to execute a command on a remote host,a5d8cdeb-be90-43a9-8b26-cc618deac1e0,command_prompt
 execution,T1053.002,Scheduled Task/Job: At,1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
@@ -1161,6 +1161,7 @@
  - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
  - Atomic Test #3: psexec.py (Impacket) [linux]
  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
+  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
  - Atomic Test #2: At - Schedule a job [linux]
@@ -842,6 +842,7 @@
  - Atomic Test #1: Execute a Command as a Service [windows]
  - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
  - Atomic Test #4: BlackCat pre-encryption cmds with Lateral Movement [windows]
+  - Atomic Test #5: Use RemCom to execute a command on a remote host [windows]
 - [T1053.002 Scheduled Task/Job: At](../../T1053.002/T1053.002.md)
  - Atomic Test #1: At.exe Scheduled task [windows]
 - T1035 Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -49529,6 +49529,49 @@ execution:
          \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
        name: powershell
        elevation_required: true
+    - name: Use RemCom to execute a command on a remote host
+      auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+      description: |
+        Requires having RemCom installed, path to RemCom is one of the input input_arguments
+        Will start a process on a remote host.
+        Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: string
+          default: localhost
+        user_name:
+          description: Username
+          type: string
+          default: Administrator
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+        remcom_exe:
+          description: Path to RemCom
+          type: string
+          default: "$pathtoatomicsfolder\\T1569.002\\bin\\remcom.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemCom tool must exist on disk at specified location (#{remcom_exe})
+
+          '
+        prereq_command: 'if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe"
+          -OutFile "#{remcom_exe}"
+
+          '
+      executor:
+        command: '"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password}
+          cmd.exe
+
+          '
+        name: command_prompt
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -43524,6 +43524,49 @@ execution:
          \ncmd.exe /c \"fsutil behavior set SymlinkEvaluation R2R:0\"\nrm $env:temp\\psexec.exe\n"
        name: powershell
        elevation_required: true
+    - name: Use RemCom to execute a command on a remote host
+      auto_generated_guid: a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+      description: |
+        Requires having RemCom installed, path to RemCom is one of the input input_arguments
+        Will start a process on a remote host.
+        Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: string
+          default: localhost
+        user_name:
+          description: Username
+          type: string
+          default: Administrator
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+        remcom_exe:
+          description: Path to RemCom
+          type: string
+          default: "$pathtoatomicsfolder\\T1569.002\\bin\\remcom.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemCom tool must exist on disk at specified location (#{remcom_exe})
+
+          '
+        prereq_command: 'if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe"
+          -OutFile "#{remcom_exe}"
+
+          '
+      executor:
+        command: '"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password}
+          cmd.exe
+
+          '
+        name: command_prompt
  T1053.002:
    technique:
      x_mitre_platforms:
@@ -16,6 +16,8 @@ Adversaries may leverage these mechanisms to execute malicious content. This can

 - [Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement](#atomic-test-4---blackcat-pre-encryption-cmds-with-lateral-movement)

+- [Atomic Test #5 - Use RemCom to execute a command on a remote host](#atomic-test-5---use-remcom-to-execute-a-command-on-a-remote-host)
+

 <br/>

@@ -209,4 +211,54 @@ rm $env:temp\psexec.exe



+<br/>
+<br/>
+
+## Atomic Test #5 - Use RemCom to execute a command on a remote host
+Requires having RemCom installed, path to RemCom is one of the input input_arguments
+Will start a process on a remote host.
+Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a5d8cdeb-be90-43a9-8b26-cc618deac1e0
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_host | Remote hostname or IP address | string | localhost|
+| user_name | Username | string | Administrator|
+| password | Password | string | P@ssw0rd1|
+| remcom_exe | Path to RemCom | string | $pathtoatomicsfolder&#92;T1569.002&#92;bin&#92;remcom.exe|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+"#{remcom_exe}" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: RemCom tool must exist on disk at specified location (#{remcom_exe})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{remcom_exe}") { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "#{remcom_exe}"
+```
+
+
+
+
 <br/>