Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T1021.006 - Change default target for MMC remote exec to localhost #1218

Merged
merged 2 commits into from
Sep 15, 2020
Merged

T1021.006 - Change default target for MMC remote exec to localhost #1218

merged 2 commits into from
Sep 15, 2020

Conversation

Jil
Copy link
Contributor

@Jil Jil commented Sep 10, 2020

Details:
The remote execution through MMC (which btw should probably not be in this technique, as suggested in #1042 ) has a default value of computer1 for the execution target. Defaulting to localhost so it may run without additional argument. The detection is likely based upon the process tree anyway.

Testing:
Ran locally and remotely, comparing artefacts in Sysmon and Security event logs to see what may be missed be running it locally (4624/3, that's all)

Associated Issues:

@clr2of8 clr2of8 merged commit 74ad184 into redcanaryco:master Sep 15, 2020
MDF636162 pushed a commit to MDF636162/atomic-red-team that referenced this pull request Nov 8, 2020
@Jil @dcambefort-scrt
@clr2of8 @MDF636162
Changed default computer target from computer1 to localhost in the re…
8d44165 
…mote execution through MMC (redcanaryco#1218)

Co-authored-by: Didier Cambefort <[email protected]>
Co-authored-by: Carrie Roberts <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@clr2of8 clr2of8 clr2of8 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Jil @clr2of8 @dcambefort-scrt