Propagation via Powershell Remoting (WinRM)

[mssalvatore]

Description

As a red team member, I want a ransomware simulation that propagates via Powershell Remoting (WinRM), so that I can evaluate my segmentation policies against propagation techniques that are commonly used by ransomware.

Acceptance Criteria

• Infection Monkey is able to propagate itself via Powershell.
• A new blackbox test is added to verify the Powershell exploiter.
• Unit tests are written and provide comprehensive coverage.
• Documentation is written that describes how the new exploiter behaves.

Tasks

• [x] Create a blackbox test that tests the existing exploiter on the powershell_exploiter branch. (0d) @ilija-lazoroski
  • [x] Add and configure 3 machines to allow powershell remoting (one with no creds, one with username only, one with username + password).
  • [x] Add a config template and blackbox test. See this and this for information about powershell remoting configuration.
• [x] Get the powershell exploiter prototype ready for production.
  • [x] Refactor exploiter prototype. (0d) - @shreyamalviya
  • [x] Read the code and understand how the exploiter works.
  • [x] Identify opportunities to make parts of the exploiter unit-testable.
  • [x] Refactor exploiter prototype to improve quality and robustness.
  • [x] Write unit tests if possible. (0d) - @shreyamalviya
  • [x] Build the binaries and make sure the exploiter works when packaged in a binary (linux and windows). (0d)
• [x] Add documentation for the new powershell exploiter. (0d) @ilija-lazoroski
• [x] Manual testing and bug fixing. (0d)
  • [x] Test reporting
  • [x] Test propagation
  • [x] Test error handling
• [x] Writing UT's for powershell exploiter (0d)
• [x] Configure the BB to test different powershell options (HTTP/HTTPS/Cached/no password)
  • [x] Remove HTTP from 45 and 46 and re-create the images (0)
  • [x] 47 needs to be added to BB (terraform and image) (0d)
• [x] Ensure Mitre "Pass the hash" technique is properly reported in reports. (0.5d)
  • [x] Modify exploiter to use NTLM hashes.

[ilija-lazoroski]

Something that helped with troubleshooting