diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6dd8db70..d6367e6c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -70433,32 +70433,16 @@ lateral-movement: elevation_required: true - name: Remote Code Execution with PS Credentials Using Invoke-Command auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 - description: | - Execute Invoke-command on remote host. - - Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`. + description: "Simulate lateral movement with PowerShell Remoting on the local + host. \nUpon successful execution, PowerShell will execute `whoami` using + `Invoke-Command`, targeting the \nlocal machine as remote target.\n" supported_platforms: - windows - input_arguments: - username: - description: The username running the powershell command - type: string - default: "$env:USERNAME" - remotehost: - description: The remote hostname of the machine you are running the powershell - command on. - type: string - default: "$env:COMPUTERNAME" - password: - description: The password to be used with the user provided in the previous - input argument. - type: string - default: test12345 executor: command: |- - $SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force - $Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword) - Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami} + Enable-PSRemoting -Force + Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami} + cleanup_command: Disable-PSRemoting -Force name: powershell - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index a383ba19..a998412b 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -46,9 +46,9 @@ Enable-PSRemoting -Force
## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command -Execute Invoke-command on remote host. - -Upon successful execution, powershell will execute whoami on specified remote host using `invoke-command`. +Simulate lateral movement with PowerShell Remoting on the local host. +Upon successful execution, PowerShell will execute `whoami` using `Invoke-Command`, targeting the +local machine as remote target. **Supported Platforms:** Windows @@ -59,23 +59,19 @@ Upon successful execution, powershell will execute whoami on specified remote ho -#### Inputs: -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| username | The username running the powershell command | string | $env:USERNAME| -| remotehost | The remote hostname of the machine you are running the powershell command on. | string | $env:COMPUTERNAME| -| password | The password to be used with the user provided in the previous input argument. | string | test12345| - #### Attack Commands: Run with `powershell`! ```powershell -$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force -$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword) -Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami} +Enable-PSRemoting -Force +Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami} ``` +#### Cleanup Commands: +```powershell +Disable-PSRemoting -Force +```