Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Windows Remote Management

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). [1] It may be called with the winrm command or by any number of programs such as PowerShell. [2]

ID: T1028

Tactic: Execution, Lateral Movement

Platform:  Windows

Permissions Required:  User, Administrator

Data Sources:  File monitoring, Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters

Supports Remote:  Yes

Version: 1.0

Examples

NameDescription
Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.[3]

Threat Group-3390

Threat Group-3390 has used WinRM to enable remote execution.[4]

Mitigation

Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. [5]

Detection

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.

References