Keith McCammon
cd8ef8f5c0
* OCD :) * Generate docs from job=validate_atomics_generate_docs branch=atomic_friday Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2.4 KiB
Executable File
Getting Lateral
Using DetectionLab, we will enable PSRemoting on our remote host WEF and execute our Atomic Test on it.
Setup
On WEF
Enable-PSRemoting
On Win10
Same terminal we used earlier:
$sess = New-PSSession -ComputerName wef -Credential windomain.local\administrator
Prompt for credentials
Let's get Remote (execution)
Wiki - https://github.com/redcanaryco/invoke-atomicredteam/wiki/Execute-Atomic-Tests-(Remote)
After you have established the PS session ($sess) you can proceed with test execution as follows.
Invoke-AtomicTest T1117 -TestNumbers 2 -ShowDetails
Invoke-AtomicTest T1003 -TestNumbers 4 -ShowDetails
Install any required prerequisites on the remote machine before test execution
Invoke-AtomicTest T1117 -Session $sess -GetPrereqs
execute all atomic tests in technique T1117|T1003 on a remote machine
Invoke-AtomicTest T1117 -Session $sess -TestNumbers 2
Invoke-AtomicTest T1003 -TestNumbers 4 -Session $sess
Validate execution
Random Tips
-
Add user to "Remote management Users" group.
-
Enabling PowerShell remoting on client versions of Windows when the computer is on a public network is normally disallowed, but you can skip this restriction by using the SkipNetworkProfileCheck parameter. For more information, see the description of the SkipNetworkProfileCheck parameter.
-
psremoting to a Windows Server will require an Administrator account (I used Administrator above, as example shown)