Atomics change t1021 001 atc (#1147)

* atomics T1021 changed * changes * changes * changes Co-authored-by: Patrick Bareiss <pbareib@splunk.com>
2020-07-20 18:15:18 +02:00
parent 3d13b787ae
commit 55133f23ee
1 changed files with 52 additions and 6 deletions
@@ -28,7 +28,7 @@ atomic_tests:
 - name: RDPto-DomainController
  auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
  description: |
-    Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonserver%) as the current user
+    Attempt an RDP session via Remote Desktop Application to a DomainController.
  supported_platforms:
  - windows
  input_arguments:
@@ -36,10 +36,18 @@ atomic_tests:
      description: ComputerName argument default %logonserver%
      type: String
      default: $ENV:logonserver.TrimStart("\")
-    username:
-      description: Username argument default %USERDOMAIN%\%username%
+    domain:
+      description: domain argument default %USERDOMAIN%
      type: String
-      default: $Env:USERDOMAIN\$ENV:USERNAME
+      default: $Env:USERDOMAIN
+    username:
+      description: Username argument default %username%
+      type: String
+      default: $ENV:USERNAME
+    password:
+      description: Password
+      type: String
+      default: 1password2!
  dependencies:
  - description: |
      Computer must be domain joined
@@ -49,6 +57,44 @@ atomic_tests:
      Write-Host Joining this computer to a domain must be done manually
  executor:
    command: |
-      Connect-RDP -ComputerName #{logonserver} -User #{username}
+      $Server=#{logonserver}
+      $User = Join-Path #{domain} #{username}
+      $Password="#{password}"
+      cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
+      mstsc /v:$Server
+      echo "RDP connection established"
+    cleanup_command: |
+      $p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
+      if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
+    name: powershell
+- name: RDP to Server
+  auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b
+  description: |
+    Attempt an RDP session via Remote Desktop Application over Powershell
+  supported_platforms:
+  - windows
+  input_arguments:
+    logonserver:
+      description: ComputerName
+      type: String
+      default: WIN-DC
+    username:
+      description: Username
+      type: String
+      default: Administrator
+    password:
+      description: Password
+      type: String
+      default: 1password2!
+  executor:
+    command: |
+      $Server="#{logonserver}"
+      $User="#{username}"
+      $Password="#{password}"
+      cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
+      mstsc /v:$Server
+      echo "RDP connection established"
+    cleanup_command: |
+      $p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
+      if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
    name: powershell
-