Try it using Invoke-Atomic

Remote Services: Windows Remote Management

Description from ATT&CK

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the

1
winrm
command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

Atomic Tests

Atomic Test #1 - Enable Windows Remote Management

Powershell Enable WinRM

Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.

Supported Platforms: windows

auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf

Inputs:

None

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
2
Enable-PSRemoting -Force

Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command

Execute Invoke-command on remote host.

Upon successful execution, powershell will execute whoami on specified remote host using

1
invoke-command
.

Supported Platforms: windows

auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6

Inputs:

Name Description Type Default Value
username The username running the powershell command string $env:USERNAME
remotehost The remote hostname of the machine you are running the powershell command on. string $env:COMPUTERNAME
password The password to be used with the user provided in the previous input argument. string test12345

Attack Commands: Run with powershell!

1
2
3
$SecPassword = ConvertTo-SecureString "#{password}" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential("#{username}", $SecPassword)
Invoke-Command -ComputerName "#{remotehost}" -Credential $Cred -ScriptBlock {whoami}

Atomic Test #3 - WinRM Access with Evil-WinRM

An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled

Supported Platforms: windows

auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d

Inputs:

Name Description Type Default Value
user_name Username String Domain\Administrator
destination_address Remote Host IP or Hostname String Target
password Password String P@ssw0rd1

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

1
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}

Dependencies: Run with powershell!

Description: Computer must have Ruby Installed Check Prereq Commands:

1
try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}

Get Prereq Commands:

1
2
3
Invoke-WebRequest  -OutFile $env:Temp\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
$file1= $env:Temp + "\rubyinstaller-2.7.1-1-x64.exe"
Start-Process $file1 /S;

Description: Computer must have Evil-WinRM installed Check Prereq Commands:

1
try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}

Get Prereq Commands:

1
gem install evil-winrm

source