Detections
Analytics
Remote Services: Windows Remote Management
Description
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM).The adversary may then perform actions as the logged-on user.WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).It may be called with the winrm command or by any number of programs such as PowerShell.WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | SMB | Windows Services | Plugin ID: 44401 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | WMI | Local Users, Groups and Group membership | Plugin ID: 71246 |
| Tenable Vulnerability Management | Advanced Network Scan | Windows machines | Authenticated Scan | OS Command | Computer Connectivity | Plugin ID: 64582 |
| Tenable Identity Exposure | Active Directory | Standard AD User | LDAP | List of Domain Computers and Users | ||
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Users | Plugin ID: 167250 |
| Tenable Vulnerability Management | AD Start or Identity Scan | Active Directory | Authenticated AD User | LDAP | List of Domain Groups | Plugin ID: 167251 |
References
Enumerate Local Group Memberships
Microsoft Windows SMB Service Config Enumeration
Netstat Connection Information
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Lateral Movement
Technique: Remote Services
Sub-Technique: Windows Remote Management
Platform: Windows
Products Required: Tenable Vulnerability Management
Tenable Release Date: 2022 Q3