← Back to Explore
sigmamediumHunting
Enable Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Detection Query
selection_cmdlet:
ScriptBlockText|contains: "Enable-PSRemoting "
condition: selection_cmdlet
Author
frack113
Created
2022-01-07
Data Sources
windowsps_script
Platforms
windows
References
Tags
attack.lateral-movementattack.t1021.006
Raw Content
title: Enable Windows Remote Management
id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
status: test
description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
author: frack113
date: 2022-01-07
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Enable-PSRemoting '
condition: selection_cmdlet
falsepositives:
- Legitimate script
level: medium