Windows Remote Management

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system(e.g., run an executable, modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.

Example

Here we have a technique that will allow us to lateral move onto a different machine using he WinRM service, this can be easily taken advantage with the use of PowerShell

We can verify if this is available on our target with the Test-WsMan Cmdlet

Usually Administrators can log in to a workstation where they have administrator privileges or sometimes we can find users that have this privileges as well.

Now will remote onto the target machine, assuming we have credentials

And Login successfully

PreviousT1021: Remote Services NextVNC

Last updated 3 years ago