Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the
winrmcommand or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
Supported Platforms: Windows
Enable-PSRemoting -ForceExecute Invoke-command on remote host.
Upon successful execution, powershell will execute ipconfig on localhost using invoke-command.
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| host_name | Remote Windows Host Name | String | localhost |
| remote_command | Command to execute on remote Host | String | ipconfig |
invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| user_name | Username | string | Domain\Administrator |
| destination_address | Remote Host IP or Hostname | string | Target |
| password | Password | string | P@ssw0rd1 |
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}if (ruby -v) {exit 0} else {exit 1} Invoke-WebRequest -OutFile $env:Temp\rubyinstaller-2.7.1-1-x64.exe https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
$file1= $env:Temp + "\rubyinstaller-2.7.1-1-x64.exe"
Start-Process $file1 /S;if (evil-winrm -h) {exit 0} else {exit 1} gem install evil-winrm