Remote Services: Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).[1] It may be called with the winrm command or by any number of programs such as PowerShell.[2] WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.[3]

ID: T1021.006
Sub-technique of:  T1021
Platforms: Windows
Version: 1.2
Created: 11 February 2020
Last Modified: 11 August 2023

Procedure Examples

ID Name Description
S1063 Brute Ratel C4

Brute Ratel C4 can use WinRM for pivoting.[4]

G0114 Chimera

Chimera has used WinRM for lateral movement.[5]

S0154 Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.[6][7]

G1016 FIN13

FIN13 has leveraged WMI to move laterally within a compromised network via application servers and SQL servers.[8]

S0692 SILENTTRINITY

SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.[9]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.[10]

G0027 Threat Group-3390

Threat Group-3390 has used WinRM to enable remote execution.[11]

G0102 Wizard Spider

Wizard Spider has used Window Remote Management to move laterally through a victim network.[12]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the WinRM service.

M1030 Network Segmentation

If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[13]

M1026 Privileged Account Management

If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.[14]

DS0028 Logon Session Logon Session Creation

Monitor for user accounts logging into the system via Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

DS0029 Network Traffic Network Connection Creation

Monitor for newly constructed network connections using Windows Remote Management (WinRM), such as remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on RPC network flows.

When a Windows Remote Management connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI "/wsman" is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host. Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.

Note: Traffic to the RPC Endpoint Mapper will always have the destination port of 135. Assuming success, RPC traffic will continue to the endpoint. The endpoint and the client both bind to dynamically assigned ports (on Windows, this is typically greater than 49152). The traffic between the client and endpoint can be detected by looking at traffic to 135 followed by traffic where the source and destination ports are at least 49152.

Analytic 1 - RPC Activity

rpc_mapper = filter flows where (dest_port == 135)rpc_endpoint = filter flows where (dest_port >= 49152 and src_port >= 49152)rpc = join rpc_mapper, rpc_endpoint where ( (rpc_mapper.time < rpc_endpoint.time < rpc_mapper.time + 2 seconds) AND (rpc_mapper.src_ip == rpc_endpoint.src_ip AND rpc_mapper.dest_ip == rpc_endpoint.dest_ip))

Analytic 2 - WinRM

winrm = filter flow where (dest_port == 5985)winrm_s = filter flow where (dest_port == 5986)

DS0009 Process Process Creation

Monitor for newly executed processes that may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as wmiprvse.exe on destination hosts.

DS0019 Service Service Metadata

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior.

References