From a089e2f7ec710e4714f4819fa3a3b74efdefb291 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 20 Apr 2022 02:40:38 +0000
Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs
 branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 41 +++++++++++++
 atomics/T1219/T1219.md                        | 61 +++++++++++++++++++
 6 files changed, 106 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 46bd1245..f31c8557 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -1131,6 +1131,7 @@ command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test o
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
+command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 068b74d5..4161ea34 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -710,6 +710,7 @@ command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test o
 command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell
 command-and-control,T1219,Remote Access Software,5,ScreenConnect Application Download and Install on Windows,4a18cc4e-416f-4966-9a9d-75731c4684c0,powershell
 command-and-control,T1219,Remote Access Software,6,Ammyy Admin Software Execution,0ae9e327-3251-465a-a53b-485d4e3f58fa,powershell
+command-and-control,T1219,Remote Access Software,7,RemotePC Software Execution,fbff3f1f-b0bf-448e-840f-7e1687affdce,powershell
 command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
 command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell
 command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index e62d5397..3d2b65a9 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1861,6 +1861,7 @@
   - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
   - Atomic Test #6: Ammyy Admin Software Execution [windows]
+  - Atomic Test #7: RemotePC Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
   - Atomic Test #2: XOR Encoded data. [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ca47ded2..f0f4f52f 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1169,6 +1169,7 @@
   - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows]
   - Atomic Test #5: ScreenConnect Application Download and Install on Windows [windows]
   - Atomic Test #6: Ammyy Admin Software Execution [windows]
+  - Atomic Test #7: RemotePC Software Execution [windows]
 - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md)
   - Atomic Test #2: XOR Encoded data. [windows]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 99866aa6..588ce907 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -76398,6 +76398,47 @@ command-and-control:
 '
         name: powershell
         elevation_required: true
+    - name: RemotePC Software Execution
+      auto_generated_guid: fbff3f1f-b0bf-448e-840f-7e1687affdce
+      description: "An adversary may attempt to trick the user into downloading RemotePC
+        Software for use as a C2 channel. \nUpon successful execution, RemotePC will
+        be executed. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        RemotePC_Path:
+          description: Path of RemotePC executable
+          type: Path
+          default: "$env:temp\\RemotePC.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'RemotePC must exist on disk at the specified location (#{RemotePC_Path})
+
+'
+        prereq_command: 'if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe"
+          -Destination "#{RemotePC_Path}" -dynamic
+
+'
+      executor:
+        command: 'Start-Process #{RemotePC_Path}
+
+'
+        cleanup_command: "Unregister-ScheduledTask -TaskName \"RemotePC\" -Confirm:$False
+          -ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"RPCServiceHealthCheck\"
+          -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask
+          -TaskName \"ServiceMonitor\" -Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask
+          -TaskName \"StartRPCService\" -Confirm:$False -ErrorAction SilentlyContinue
+          \     \nStop-Process -Name \"RemotePCPerformance\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RPCPerformanceService\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RemotePCUIU\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RPCDownloader\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RemotePCService\" -force -erroraction silentlycontinue\nStop-Process
+          -Name \"RPCService\" -force -erroraction silentlycontinue\n"
+        name: powershell
+        elevation_required: true
   T1132.001:
     technique:
       object_marking_refs:
diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md
index 2ee675a3..f7e9abcb 100644
--- a/atomics/T1219/T1219.md
+++ b/atomics/T1219/T1219.md
@@ -20,6 +20,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
 
 - [Atomic Test #6 - Ammyy Admin Software Execution](#atomic-test-6---ammyy-admin-software-execution)
 
+- [Atomic Test #7 - RemotePC Software Execution](#atomic-test-7---remotepc-software-execution)
+
 
 <br/>
 
@@ -250,4 +252,63 @@ Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://ww
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #7 - RemotePC Software Execution
+An adversary may attempt to trick the user into downloading RemotePC Software for use as a C2 channel. 
+Upon successful execution, RemotePC will be executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fbff3f1f-b0bf-448e-840f-7e1687affdce
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| RemotePC_Path | Path of RemotePC executable | Path | $env:temp&#92;RemotePC.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process #{RemotePC_Path}
+```
+
+#### Cleanup Commands:
+```powershell
+Unregister-ScheduledTask -TaskName "RemotePC" -Confirm:$False -ErrorAction SilentlyContinue
+Unregister-ScheduledTask -TaskName "RPCServiceHealthCheck" -Confirm:$False -ErrorAction SilentlyContinue
+Unregister-ScheduledTask -TaskName "ServiceMonitor" -Confirm:$False -ErrorAction SilentlyContinue
+Unregister-ScheduledTask -TaskName "StartRPCService" -Confirm:$False -ErrorAction SilentlyContinue      
+Stop-Process -Name "RemotePCPerformance" -force -erroraction silentlycontinue
+Stop-Process -Name "RPCPerformanceService" -force -erroraction silentlycontinue
+Stop-Process -Name "RemotePCUIU" -force -erroraction silentlycontinue
+Stop-Process -Name "RPCDownloader" -force -erroraction silentlycontinue
+Stop-Process -Name "RemotePCService" -force -erroraction silentlycontinue
+Stop-Process -Name "RPCService" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: RemotePC must exist on disk at the specified location (#{RemotePC_Path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe" -Destination "#{RemotePC_Path}" -dynamic
+```
+
+
+
+
 <br/>