T1047 - Wmic process create tests (#679)

* T1047 - Wmic process create tests * Generate docs from job=validate_atomics_generate_docs branch=t1047-wmic-process
2019-11-20 16:36:42 -06:00
parent 4c3e2c3d83
commit 8eb281faa6
5 changed files with 126 additions and 0 deletions
@@ -14,6 +14,10 @@ An adversary can use WMI to interact with local and remote systems and use it as

 - [Atomic Test #4 - WMI Reconnaissance List Remote Services](#atomic-test-4---wmi-reconnaissance-list-remote-services)

+- [Atomic Test #5 - WMI Execute Local Process](#atomic-test-5---wmi-execute-local-process)
+
+- [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process)
+

 <br/>

@@ -84,4 +88,47 @@ wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")



+<br/>
+<br/>
+
+## Atomic Test #5 - WMI Execute Local Process
+This test uses wmic.exe to execute a process on the local host.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| process_to_execute | Name or path of process to execute. | String | calc.exe|
+
+#### Run it with `command_prompt`! 
+```
+wmic process call create #{process_to_execute}
+```
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - WMI Execute Remote Process
+This test uses wmic.exe to execute a process on a remote host.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| node | Ip Address | String | 192.168.0.1|
+| process_to_execute | Name or path of process to execute. | String | calc.exe|
+
+#### Run it with `command_prompt`! 
+```
+wmic /node:"#{node}" process call create #{process_to_execute}
+```
+
+
+
 <br/>
@@ -54,3 +54,40 @@ atomic_tests:
    command: |
      wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
  
+- name: WMI Execute Local Process
+  description: |
+    This test uses wmic.exe to execute a process on the local host.
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    process_to_execute:
+      description: Name or path of process to execute.
+      type: String
+      default: calc.exe
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      wmic process call create #{process_to_execute}
+
+- name: WMI Execute Remote Process
+  description: |
+    This test uses wmic.exe to execute a process on a remote host.
+
+  supported_platforms:
+    - windows
+  input_arguments:
+    node:
+      description: Ip Address
+      type: String
+      default: 192.168.0.1
+    process_to_execute:
+      description: Name or path of process to execute.
+      type: String
+      default: calc.exe
+  executor:
+    name: command_prompt
+    elevation_required: false
+    command: |
+      wmic /node:"#{node}" process call create #{process_to_execute}
@@ -781,6 +781,8 @@
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
  - Atomic Test #3: WMI Reconnaissance Software [windows]
  - Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
+  - Atomic Test #5: WMI Execute Local Process [windows]
+  - Atomic Test #6: WMI Execute Remote Process [windows]
 - [T1028 Windows Remote Management](./T1028/T1028.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
  - Atomic Test #2: PowerShell Lateral Movement [windows]
@@ -22558,6 +22558,44 @@ execution:
        command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}
          (%")

+'
+    - name: WMI Execute Local Process
+      description: 'This test uses wmic.exe to execute a process on the local host.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        process_to_execute:
+          description: Name or path of process to execute.
+          type: String
+          default: calc.exe
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'wmic process call create #{process_to_execute}
+
+'
+    - name: WMI Execute Remote Process
+      description: 'This test uses wmic.exe to execute a process on a remote host.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        node:
+          description: Ip Address
+          type: String
+          default: 192.168.0.1
+        process_to_execute:
+          description: Name or path of process to execute.
+          type: String
+          default: calc.exe
+      executor:
+        name: command_prompt
+        elevation_required: false
+        command: 'wmic /node:"#{node}" process call create #{process_to_execute}
+
 '
  T1028:
    technique:
@@ -648,6 +648,8 @@
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
  - Atomic Test #3: WMI Reconnaissance Software [windows]
  - Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
+  - Atomic Test #5: WMI Execute Local Process [windows]
+  - Atomic Test #6: WMI Execute Remote Process [windows]
 - [T1028 Windows Remote Management](./T1028/T1028.md)
  - Atomic Test #1: Enable Windows Remote Management [windows]
  - Atomic Test #2: PowerShell Lateral Movement [windows]