Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Служба удаленного управления Windows
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Служба удаленного управления W...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Remote Services:  Служба удаленного управления Windows

ID Название
.001 Протокол удаленного рабочего стола
.002 Общие SMB-ресурсы или ресурсы администраторов Windows
.003 Распределенная COM-модель
.004 SSH
.005 VNC
.006 Служба удаленного управления Windows

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

ID: T1021.006
Относится к технике:  T1021
Тактика(-и): Lateral Movement
Платформы: Windows
Требуемые разрешения: Administrator, User
Источники данных: Command: Command Execution, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Service: Service Metadata
Версия: 1.1
Дата создания: 11 Feb 2020
Последнее изменение: 23 Jun 2021

Примеры процедур
Название Описание
Chimera

Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021)
APT29

APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021)
Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.(Citation: cobaltstrike manual)(Citation: Cobalt Strike Manual 4.3 November 2020)
UNC2452

UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.(Citation: Symantec RAINDROP January 2021)
Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.(Citation: cobaltstrike manual)
SILENTTRINITY

SILENTTRINITY tracks `TrustedHosts` and can move laterally to these targets via WinRM.(Citation: GitHub SILENTTRINITY Modules July 2019)
Threat Group-3390

Threat Group-3390 has used WinRM to enable remote execution.(Citation: SecureWorks BRONZE UNION June 2017)
Wizard Spider

Wizard Spider has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)

Контрмеры
Контрмера Описание
Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.
Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.
Network Segmentation

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

Обнаружение

Monitor use of WinRM within an environment by tracking service execution. If it is not normally used or is disabled, then this may be an indicator of suspicious behavior. Monitor processes created and actions taken by the WinRM process or a WinRM invoked script to correlate it with other related events.(Citation: Medium Detecting Lateral Movement) Also monitor for remote WMI connection attempts (typically over port 5985 when using HTTP and 5986 for HTTPS).

Ссылки

  1. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  2. French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019.
  3. Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  4. Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.
  5. Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014.
  6. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  7. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  8. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  9. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  10. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  11. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  12. National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.
  13. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
Навигация

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.