Greg Carson gregkcarson
gregkcarson
/ HowToDetectTechniqueX_Demos.ps1
Created
April 11, 2021 00:24
— forked from mattifestation/HowToDetectTechniqueX_Demos.ps1
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #region Attack validations | |
| wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe | |
| Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe | |
| $CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator | |
| Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' } | |
| $CimSession | Remove-CimSession | |
| winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword |