Remote Services: Служба удаленного управления Windows
Other sub-techniques of Remote Services (6)
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
Примеры процедур |
|
Название | Описание |
---|---|
Chimera |
Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021) |
APT29 |
APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021) |
Cobalt Strike |
Cobalt Strike can use |
UNC2452 |
UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021) |
Cobalt Strike |
Cobalt Strike can use |
SILENTTRINITY |
SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Threat Group-3390 |
Threat Group-3390 has used WinRM to enable remote execution.(Citation: SecureWorks BRONZE UNION June 2017) |
Wizard Spider |
Wizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Disable or Remove Feature or Program |
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Network Segmentation |
Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. |
Обнаружение
Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).
Ссылки
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019.
- Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
- Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.
- Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
Связанные риски
Риск | Связи | |
---|---|---|
Боковое перемещение злоумышленника по локальной сети из-за
возможности удаленного управления Windows с помощью службы WinRM в ОС Windows
Конфиденциальность
Целостность
|
2
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.