Generate docs from job=validate_atomics_generate_docs branch=master

2020-07-18 03:04:26 +00:00
parent 801ff20807
commit e80f7cfe29
8 changed files with 93 additions and 0 deletions
@@ -581,6 +581,7 @@ lateral-movement,T1021.006,Windows Remote Management,2,PowerShell Lateral Moveme
 lateral-movement,T1021.006,Windows Remote Management,3,WMIC Process Call Create,5cd59c3b-1375-4edf-9bac-5851c9915fca,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,4,Psexec,9bab84a1-08fd-4245-b681-e62c78283002,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,5,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,6,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 command-and-control,T1071.004,DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
 command-and-control,T1071.004,DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
 command-and-control,T1071.004,DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
@@ -447,5 +447,6 @@ lateral-movement,T1021.006,Windows Remote Management,2,PowerShell Lateral Moveme
 lateral-movement,T1021.006,Windows Remote Management,3,WMIC Process Call Create,5cd59c3b-1375-4edf-9bac-5851c9915fca,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,4,Psexec,9bab84a1-08fd-4245-b681-e62c78283002,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,5,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
+lateral-movement,T1021.006,Windows Remote Management,6,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
 initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
 initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
@@ -1061,6 +1061,7 @@
  - Atomic Test #3: WMIC Process Call Create [windows]
  - Atomic Test #4: Psexec [windows]
  - Atomic Test #5: Invoke-Command [windows]
+  - Atomic Test #6: WinRM Access with Evil-WinRM [windows]

 # command-and-control
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -919,6 +919,7 @@
  - Atomic Test #3: WMIC Process Call Create [windows]
  - Atomic Test #4: Psexec [windows]
  - Atomic Test #5: Invoke-Command [windows]
+  - Atomic Test #6: WinRM Access with Evil-WinRM [windows]

 # initial-access
 - T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -42984,6 +42984,40 @@ lateral-movement:

 '
        name: powershell
+    - name: WinRM Access with Evil-WinRM
+      auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
+      description: An adversary may attempt to use Evil-WinRM with a valid account
+        to interact with remote systems that have WinRM enabled
+      supported_platforms:
+      - windows
+      input_arguments:
+        user_name:
+          description: Username
+          type: string
+          default: Domain\Administrator
+        destination_address:
+          description: Remote Host IP or Hostname
+          type: string
+          default: Target
+        password:
+          description: Password
+          type: string
+          default: P@ssw0rd1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: Computer must have Ruby Installed
+        prereq_command: if (ruby -v) {exit 0} else {exit 1}
+        get_prereq_command: |-
+          Invoke-WebRequest  -OutFile $env:Temp\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
+          $file1= $env:Temp + "\rubyinstaller-2.7.1-1-x64.exe"
+          Start-Process $file1 /S;
+      - description: Computer must have Evil-WinRM installed
+        prereq_command: if (evil-winrm -h) {exit 0} else {exit 1}
+        get_prereq_command: gem install evil-winrm
+      executor:
+        command: 'evil-winrm -i #{destination_address} -u #{user_name} -p #{password}'
+        name: powershell
+        elevation_required: true
 command-and-control:
  T1071:
    technique:
@@ -16,6 +16,8 @@ WinRM is the name of both a Windows service and a protocol that allows a user to

 - [Atomic Test #5 - Invoke-Command](#atomic-test-5---invoke-command)

+- [Atomic Test #6 - WinRM Access with Evil-WinRM](#atomic-test-6---winrm-access-with-evil-winrm)
+

 <br/>

@@ -191,4 +193,55 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}



+<br/>
+<br/>
+
+## Atomic Test #6 - WinRM Access with Evil-WinRM
+An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| user_name | Username | string | Domain&#92;Administrator|
+| destination_address | Remote Host IP or Hostname | string | Target|
+| password | Password | string | P@ssw0rd1|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: 
+##### Check Prereq Commands:
+```powershell
+ 
+```
+##### Get Prereq Commands:
+```powershell
+
+```
+##### Description: 
+##### Check Prereq Commands:
+```powershell
+ 
+```
+##### Get Prereq Commands:
+```powershell
+
+```
+
+
+
+
 <br/>
@@ -121,6 +121,7 @@ atomic_tests:
      invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
    name: powershell
 - name: WinRM Access with Evil-WinRM
+  auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
  description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
  supported_platforms:
  - windows
@@ -551,3 +551,4 @@ a123ce6a-3916-45d6-ba9c-7d4081315c27
 a90c2f4d-6726-444e-99d2-a00cd7c20480
 43f71395-6c37-498e-ab17-897d814a0947
 d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
+efe86d95-44c4-4509-ae42-7bfd9d1f5b3d