Enable Windows Remote Management

calendar Jan 27, 2023 · attack.lateral_movement attack.t1021.006  ·
Share on: linkedin copy

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Sigma rule (View on GitHub)

 1title: Enable Windows Remote Management
 2id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
 3status: test
 4description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
 7    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
 8author: frack113
 9date: 2022/01/07
10tags:
11    - attack.lateral_movement
12    - attack.t1021.006
13logsource:
14    product: windows
15    category: ps_script
16    definition: 'Requirements: Script Block Logging must be enabled'
17detection:
18    selection_cmdlet:
19        ScriptBlockText|contains: 'Enable-PSRemoting '
20    condition: selection_cmdlet
21falsepositives:
22    - Legitimate script
23level: medium

References

  • atomic-red-team/atomics/T1021.006/T1021.006.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

    Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team


    Read More

  • Enable-PSRemoting (Microsoft.PowerShell.Core) - PowerShell

    This cmdlet is only available on the Windows platform. The Enable-PSRemoting cmdlet configures the computer to receive PowerShell remote commands that are sent by using the WS-Management technology. WS-Management based PowerShell remoting is currently supported only on Windows platform. PowerShell remoting is enabled by default on Windows Server platforms. You can use Enable-PSRemoting to enable PowerShell remoting on other supported versions of Windows and to re-enable remoting if it becomes disabled. You have to run this command only one time on each computer that will receive commands. You do not have to run it on computers that only send commands. Because the configuration starts listeners to accept remote connections, it is prudent to run it only where it is needed. Enabling PowerShell remoting on client versions of Windows when the computer is on a public network is normally disallowed, but you can skip this restriction by using the SkipNetworkProfileCheck parameter. For more information, see the description of the SkipNetworkProfileCheck parameter. Multiple PowerShell installations can exist side-by-side on a single computer. Running Enable-PSRemoting will configure a remoting endpoint for the specific installation version that you are running the cmdlet in. So if you run Enable-PSRemoting while running PowerShell 6.2, a remoting endpoint will be configured that runs PowerShell 6.2. If you run Enable-PSRemoting while running PowerShell 7-preview, a remoting endpoint will be configured that runs PowerShell 7-preview. Enable-PSRemoting creates two remoting endpoint configurations as needed. If the endpoint configurations already exist, then they are simply ensured to be enabled. The created configurations are identical but have different names. One will have a simple name corresponding to the PowerShell version that hosts the session. The other configuration name contains more detailed information about the PowerShell version which hosts the session. For example, when running Enable-PSRemoting in PowerShell 6.2, you will get two configured endpoints named PowerShell.6, PowerShell.6.2.2. This allows you to create a connection to the latest PowerShell 6 host version by using the simple name PowerShell.6. Or you can connect to a specific PowerShell host version by using the longer name PowerShell.6.2.2. To use the newly enabled remoting endpoints, you must specify them by name with the ConfigurationName parameter when creating a remote connection using the Invoke-Command,New-PSSession,Enter-PSSession cmdlets. For more information, see Example 4. The Enable-PSRemoting cmdlet performs the following operations: Runs the Set-WSManQuickConfig cmdlet, which performs the following tasks: Starts the WinRM service. Sets the startup type on the WinRM service to Automatic. Creates a listener to accept requests on any IP address. Enables a firewall exception for WS-Management communications. Creates the simple and long name session endpoint configurations if needed. Enables all session configurations. Changes the security descriptor of all session configurations to allow remote access. Restarts the WinRM service to make the preceding changes effective. To run this cmdlet on the Windows platform, start PowerShell by using the Run as administrator option. This cmdlet is not available on Linux or MacOS versions of PowerShell. Caution This cmdlet does not affect remote endpoint configurations created by Windows PowerShell. It only affects endpoints created with PowerShell version 6 and greater. To enable and disable PowerShell remoting endpoints that are hosted by Windows PowerShell, run the Enable-PSRemoting cmdlet from within a Windows PowerShell session.


    Read More

Related rules

to-top