Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the `winrm` command or by any number of programs such as PowerShell. WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.
Open detection, hunting, mitigation, and evidence workspace
Detection logic
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events. Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).
Observed actors
Correlated CTI and IR reports
1200km CTI repository · explicit report mentionCorrelation Based Detection Rules in Cybersecurity From Atomic Events to Behavioral Insight
1200km Medium · authored report mentionFrom Threat Intelligence to Detection A Practitioner s Guide
1200km Medium · authored report mention