Remote Services: Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).[1] It may be called with the winrm command or by any number of programs such as PowerShell.[2] WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.[3]

ID: T1021.006
Sub-technique of:  T1021
Platforms: Windows
Permissions Required: Administrator, User
Version: 1.1
Created: 11 February 2020
Last Modified: 23 June 2021

Procedure Examples

ID Name Description
G0016 APT29

APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.[4]

G0114 Chimera

Chimera has used WinRM for lateral movement.[5]

S0154 Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.[6][7]

S0692 SILENTTRINITY

SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.[8]

G0027 Threat Group-3390

Threat Group-3390 has used WinRM to enable remote execution.[9]

G0102 Wizard Spider

Wizard Spider has used Window Remote Management to move laterally through a victim network.[10]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the WinRM service.

M1030 Network Segmentation

If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[11]

M1026 Privileged Account Management

If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0028 Logon Session Logon Session Creation
DS0029 Network Traffic Network Connection Creation
DS0009 Process Process Creation
DS0019 Service Service Metadata

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.[12] Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).

References