Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the
winrm command or by any number of programs such as PowerShell. WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.
|M1042||Disable or Remove Feature or Program||
Disable the WinRM service.
If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.
|M1026||Privileged Account Management||
If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.
|ID||Data Source||Data Component||Detects|
Monitor executed commands and arguments that may invoke a WinRM script to correlate it with other related events.
|DS0028||Logon Session||Logon Session Creation||
Monitor for user accounts logging into the system via Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
|DS0029||Network Traffic||Network Connection Creation||
Monitor for newly constructed network connections using Windows Remote Management (WinRM), such as remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).
Monitor for newly executed processes that may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM), as well as service processes such as
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior.