Skip to content

Propagation via Powershell Remoting (WinRM) #1246

Description

@mssalvatore

Description

As a red team member, I want a ransomware simulation that propagates via Powershell Remoting (WinRM), so that I can evaluate my segmentation policies against propagation techniques that are commonly used by ransomware.

Acceptance Criteria

  • Infection Monkey is able to propagate itself via Powershell.
  • A new blackbox test is added to verify the Powershell exploiter.
  • Unit tests are written and provide comprehensive coverage.
  • Documentation is written that describes how the new exploiter behaves.

Tasks

  • Create a blackbox test that tests the existing exploiter on the powershell_exploiter branch. (0d) @ilija-lazoroski
    • Add and configure 3 machines to allow powershell remoting (one with no creds, one with username only, one with username + password).
    • Add a config template and blackbox test.
      See this and this for information about powershell remoting configuration.
  • Get the powershell exploiter prototype ready for production.
    • Refactor exploiter prototype. (0d) - @shreyamalviya
      • Read the code and understand how the exploiter works.
      • Identify opportunities to make parts of the exploiter unit-testable.
      • Refactor exploiter prototype to improve quality and robustness.
    • Write unit tests if possible. (0d) - @shreyamalviya
    • Build the binaries and make sure the exploiter works when packaged in a binary (linux and windows). (0d)
  • Add documentation for the new powershell exploiter. (0d) @ilija-lazoroski
  • Manual testing and bug fixing. (0d)
    • Test reporting
    • Test propagation
    • Test error handling
  • Writing UT's for powershell exploiter (0d)
  • Configure the BB to test different powershell options (HTTP/HTTPS/Cached/no password)
    • Remove HTTP from 45 and 46 and re-create the images (0)
    • 47 needs to be added to BB (terraform and image) (0d)
  • Ensure Mitre "Pass the hash" technique is properly reported in reports. (0.5d)
    • Modify exploiter to use NTLM hashes.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions