diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 0f140af2..e3e0891f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -844,7 +844,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -1253,6 +1253,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 9748317b..f024778f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -604,7 +604,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell
lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
-lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,2,Remote Code Execution with PS Credentials Using Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -909,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 9c728cb9..e155fc0a 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1465,7 +1465,7 @@
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- - Atomic Test #2: Invoke-Command [windows]
+ - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -2095,6 +2095,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
+ - Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 79c3f983..a2bcf3fa 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1060,7 +1060,7 @@
- T1563 Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1021.006 Windows Remote Management](../../T1021.006/T1021.006.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- - Atomic Test #2: Invoke-Command [windows]
+ - Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md)
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
@@ -1521,6 +1521,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
+ - Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index a944ce29..7f161f78 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -67595,27 +67595,34 @@ lateral-movement:
'
name: powershell
elevation_required: true
- - name: Invoke-Command
+ - name: Remote Code Execution with PS Credentials Using Invoke-Command
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
description: |
Execute Invoke-command on remote host.
- Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+ Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
supported_platforms:
- windows
input_arguments:
- host_name:
- description: Remote Windows Host Name
- type: String
- default: localhost
- remote_command:
- description: Command to execute on remote Host
- type: String
- default: ipconfig
+ username:
+ description: The username running the powershell command
+ type: string
+ default: "$env:USERNAME"
+ remotehost:
+ description: The remote hostname of the machine you are running the powershell
+ command on.
+ type: string
+ default: "$env:COMPUTERNAME"
+ password:
+ description: The password to be used with the user provided in the previous
+ input argument.
+ type: string
+ default: test12345
executor:
- command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
-
- '
+ command: |-
+ $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+ $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+ Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
name: powershell
- name: WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
@@ -91410,6 +91417,21 @@ command-and-control:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
+ - name: Download a file using wscript
+ auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+ description: Use wscript to run a local VisualBasic file to download a remote
+ file
+ supported_platforms:
+ - windows
+ input_arguments:
+ vbscript_file:
+ description: Full path to the VisualBasic downloading the file
+ type: String
+ default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+ executor:
+ command: 'wscript.exe #{vbscript_file}'
+ cleanup_command: del Atomic-License.txt >nul 2>&1
+ name: command_prompt
T1001.002:
technique:
x_mitre_platforms:
diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md
index 5e070e13..2ec818bd 100644
--- a/atomics/T1021.006/T1021.006.md
+++ b/atomics/T1021.006/T1021.006.md
@@ -8,7 +8,7 @@ WinRM is the name of both a Windows service and a protocol that allows a user to
- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)
-- [Atomic Test #2 - Invoke-Command](#atomic-test-2---invoke-command)
+- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)
- [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)
@@ -45,10 +45,10 @@ Enable-PSRemoting -Force
-## Atomic Test #2 - Invoke-Command
+## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
Execute Invoke-command on remote host.
-Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
**Supported Platforms:** Windows
@@ -62,15 +62,18 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
-| host_name | Remote Windows Host Name | String | localhost|
-| remote_command | Command to execute on remote Host | String | ipconfig|
+| username | The username running the powershell command | string | $env:USERNAME|
+| remotehost | The remote hostname of the machine you are running the powershell command on. | string | $env:COMPUTERNAME|
+| password | The password to be used with the user provided in the previous input argument. | string | test12345|
#### Attack Commands: Run with `powershell`!
```powershell
-invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
```
diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml
index d19b621d..0a47fb86 100644
--- a/atomics/T1021.006/T1021.006.yaml
+++ b/atomics/T1021.006/T1021.006.yaml
@@ -14,27 +14,34 @@ atomic_tests:
Enable-PSRemoting -Force
name: powershell
elevation_required: true
-- name: Invoke-Command
+- name: Remote Code Execution with PS Credentials Using Invoke-Command
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
description: |
Execute Invoke-command on remote host.
- Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
+ Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`.
supported_platforms:
- windows
input_arguments:
- host_name:
- description: Remote Windows Host Name
- type: String
- default: localhost
- remote_command:
- description: Command to execute on remote Host
- type: String
- default: ipconfig
+ username:
+ description: The username running the powershell command
+ type: string
+ default: $env:USERNAME
+ remotehost:
+ description: The remote hostname of the machine you are running the powershell command on.
+ type: string
+ default: $env:COMPUTERNAME
+ password:
+ description: The password to be used with the user provided in the previous input argument.
+ type: string
+ default: test12345
executor:
- command: |
- invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
+ command: |-
+ $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
+ $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
+ Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}
name: powershell
+
- name: WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index ffac8680..74f3f203 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co
- [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)
+- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)
+
@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1
+
+
+
+## Atomic Test #26 - Download a file using wscript
+Use wscript to run a local VisualBasic file to download a remote file
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder\T1105\src\T1105-download-file.vbs|
+
+
+#### Attack Commands: Run with `command_prompt`!
+
+
+```cmd
+wscript.exe #{vbscript_file}
+```
+
+#### Cleanup Commands:
+```cmd
+del Atomic-License.txt >nul 2>&1
+```
+
+
+
+
+
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index b49dd3c9..09356531 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -700,4 +700,18 @@ atomic_tests:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
-
+
+- name: Download a file using wscript
+ auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
+ description: Use wscript to run a local VisualBasic file to download a remote file
+ supported_platforms:
+ - windows
+ input_arguments:
+ vbscript_file:
+ description: Full path to the VisualBasic downloading the file
+ type: String
+ default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
+ executor:
+ command: 'wscript.exe #{vbscript_file}'
+ cleanup_command: del Atomic-License.txt >nul 2>&1
+ name: command_prompt
diff --git a/atomics/T1105/src/T1105-download-file.vbs b/atomics/T1105/src/T1105-download-file.vbs
new file mode 100644
index 00000000..2720a6e9
--- /dev/null
+++ b/atomics/T1105/src/T1105-download-file.vbs
@@ -0,0 +1,10 @@
+Set objWinHttp = CreateObject("WinHttp.WinHttpRequest.5.1")
+URL = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt"
+objWinHttp.open "GET", URL, False
+objWinHttp.send ""
+Dim BinaryStream
+Set BinaryStream = CreateObject("ADODB.Stream")
+BinaryStream.Type = 1
+BinaryStream.Open
+BinaryStream.Write objWinHttp.responseBody
+BinaryStream.SaveToFile "Atomic-License.txt", 2
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 1235e5f5..03b61cda 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -1100,3 +1100,4 @@ a27418de-bdce-4ebd-b655-38f11142bf0c
33eacead-f117-4863-8eb0-5c6304fbfaa9
3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
57ba4ce9-ee7a-4f27-9928-3c70c489b59d
+97116a3f-efac-4b26-8336-b9cb18c45188