Remote Services: Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).[1] It may be called with the winrm command or by any number of programs such as PowerShell.[2]

ID: T1021.006
Sub-technique of:  T1021
Tactic: Lateral Movement
Platforms: Windows
Permissions Required: Administrator, User
Data Sources: Authentication logs, File monitoring, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Version: 1.0
Created: 11 February 2020
Last Modified: 25 March 2020

Procedure Examples

Name Description
Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.[4]

Threat Group-3390

Threat Group-3390 has used WinRM to enable remote execution.[5]

Mitigations

Mitigation Description
Disable or Remove Feature or Program

Disable the WinRM service.

Network Segmentation

If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[3]

Privileged Account Management

If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

Detection

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.[6]

References