diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 644d3569..2ccd8fcd 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -545,6 +545,7 @@ execution,T1059.001,PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be
execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 23c01a96..f4e9afeb 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -375,6 +375,7 @@ execution,T1059.001,PowerShell,10,Powershell Invoke-DownloadCradle,cc50fa2a-a4be
execution,T1059.001,PowerShell,11,PowerShell Fileless Script Execution,fa050f5e-bc75-4230-af73-b6fd7852cd73,powershell
execution,T1059.001,PowerShell,12,PowerShell Downgrade Attack,9148e7c4-9356-420e-a416-e896e9c0f73e,powershell
execution,T1059.001,PowerShell,13,NTFS Alternate Data Stream Access,8e5c5532-1181-4c1d-bb79-b3a9f5dbd680,powershell
+execution,T1059.001,PowerShell,14,PowerShell Session Creation and Use,7c1acec2-78fa-4305-a3e0-db2a54cddecd,powershell
execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 817164bb..08f15eb3 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -987,6 +987,7 @@
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+ - Atomic Test #14: PowerShell Session Creation and Use [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index e8fb21ae..911bf5be 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -757,6 +757,7 @@
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
+ - Atomic Test #14: PowerShell Session Creation and Use [windows]
- T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
- Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7ab40f68..52a8f663 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -39950,6 +39950,7 @@ execution:
-contains "NTFS") {exit 0} else {exit 1}
get_prereq_command: Write-Host Prereq's for this test cannot be met automatically
executor:
+ name: powershell
command: |
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
@@ -39957,7 +39958,33 @@ execution:
cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore
'
+ - name: PowerShell Session Creation and Use
+ auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+ description: |
+ Connect to a remote powershell session and interact with the host.
+ Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
+ supported_platforms:
+ - windows
+ input_arguments:
+ hostname_to_connect:
+ description: The host to connect to, by default it will connect to the local
+ machine
+ type: String
+ default: "$env:COMPUTERNAME"
+ dependencies:
+ - description: PSRemoting must be enabled
+ prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect}
+ -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}"
+ get_prereq_command: Enable-PSRemoting
+ executor:
name: powershell
+ elevation_required: true
+ command: |
+ New-PSSession -ComputerName #{hostname_to_connect}
+ Test-Connection $env:COMPUTERNAME
+ Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
+ Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+ Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
T1059.006:
technique:
external_references:
diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md
index 6c89448b..d22e90e9 100644
--- a/atomics/T1059.001/T1059.001.md
+++ b/atomics/T1059.001/T1059.001.md
@@ -36,6 +36,8 @@ PowerShell commands/scripts can also be executed without directly invoking the <
- [Atomic Test #13 - NTFS Alternate Data Stream Access](#atomic-test-13---ntfs-alternate-data-stream-access)
+- [Atomic Test #14 - PowerShell Session Creation and Use](#atomic-test-14---powershell-session-creation-and-use)
+
@@ -457,4 +459,56 @@ Write-Host Prereq's for this test cannot be met automatically
+
+
+
+## Atomic Test #14 - PowerShell Session Creation and Use
+Connect to a remote powershell session and interact with the host.
+Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| hostname_to_connect | The host to connect to, by default it will connect to the local machine | String | $env:COMPUTERNAME|
+
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+
+```powershell
+New-PSSession -ComputerName #{hostname_to_connect}
+Test-Connection $env:COMPUTERNAME
+Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
+Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
+```
+
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: PSRemoting must be enabled
+##### Check Prereq Commands:
+```powershell
+Try {
+ New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null
+ exit 0
+}
+Catch {
+ exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+Enable-PSRemoting
+```
+
+
+
+
diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml
index 7b2269d8..2635afc7 100644
--- a/atomics/T1059.001/T1059.001.yaml
+++ b/atomics/T1059.001/T1059.001.yaml
@@ -227,6 +227,7 @@ atomic_tests:
Remove-Item #{ads_file} -Force -ErrorAction Ignore
- name: PowerShell Session Creation and Use
+ auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
description: |
Connect to a remote powershell session and interact with the host.
Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 14fec552..cf561f18 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -541,3 +541,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
21748c28-2793-4284-9e07-d6d028b66702
263ae743-515f-4786-ac7d-41ef3a0d4b2b
2770dea7-c50f-457b-84c4-c40a47460d9f
+7c1acec2-78fa-4305-a3e0-db2a54cddecd