Windows Remote Management
|Windows Remote Management|
|Tactic||Execution, Lateral Movement|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10|
|System Requirements||WinRM listener turned on and configured on remote system|
|Permissions Required||User, Administrator|
|Data Sources||File monitoring, Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring|
Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).1 It may be called with the
winrm command or by any number of programs such as PowerShell.2
- Threat Group-3390 has used WinRM to enable remote execution.3
- Cobalt Strike can use
WinRMto execute a payload on a remote host.4
Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.5
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.
- Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.
- Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.