From 9be96cf54f8bb78652d3cea9b18284e09fa6c536 Mon Sep 17 00:00:00 2001
From: Andras32 <harrell.laken@gmail.com>
Date: Tue, 24 Sep 2019 09:36:03 -0500
Subject: [PATCH] T1076 rdp to domain controller (#572)

* Added MacOS and Linux isElevated check [toso: test MacOS]

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* Update Invoke-AtomicTest.ps1

* T1076 RDP To Domain Controller
---
 atomics/T1076/T1076.yaml | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/atomics/T1076/T1076.yaml b/atomics/T1076/T1076.yaml
index 365c0a97..8754bd6a 100644
--- a/atomics/T1076/T1076.yaml
+++ b/atomics/T1076/T1076.yaml
@@ -19,3 +19,30 @@ atomic_tests:
       sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
       net start sesshijack
       sc.exe delete sesshijack
+
+- name: RDPto-DomainController
+  description: |
+    Attempt an RDP session via "Connect-RDP" to a system. Default RDPs to (%logonserver%) as the current user
+
+  supported_platforms:
+    - windows
+
+  input_arguments:
+    
+    logonserver:
+      description: ComputerName argument default %logonserver%
+      type: String
+      default: $ENV:logonserver.TrimStart("\")
+    
+    username:
+      description: Username argument default %USERDOMAIN%\%username%
+      type: String
+      default: $Env:USERDOMAIN\$ENV:USERNAME
+
+  executor:
+    name: powershell
+    elevation_required: false
+    prereq_command: |
+      if((Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain) {0} else {1}
+    command: |
+      Connect-RDP -ComputerName #{logonserver} -User #{username}