Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)
Powershell Enable WinRM
Upon successful execution, powershell will “Enable-PSRemoting” allowing for remote PS access.
Supported Platforms: Windows
auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf
1
powershell
! Elevation Required (e.g. root or admin)1
Enable-PSRemoting -Force
Simulate lateral movement with PowerShell Remoting on the local host.
Upon successful execution, PowerShell will execute
using 1
whoami
, targeting the
local machine as remote target.1
Invoke-Command
Supported Platforms: Windows
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
1
powershell
!1
2
Enable-PSRemoting -Force
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
1
Disable-PSRemoting -Force
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
Supported Platforms: Windows
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
| Name | Description | Type | Default Value | |——|————-|——|—————| | user_name | Username | string | Domain\Administrator| | destination_address | Remote Host IP or Hostname | string | Target| | password | Password | string | P@ssw0rd1|
1
powershell
! Elevation Required (e.g. root or admin)1
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
1
powershell
!1
try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}
1
2
3
4
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe" https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
$file1= "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe"
Start-Process $file1 /S;
1
try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}
1
gem install evil-winrm