Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
Attacker's Goals
Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.
Investigative actions
Investigate the endpoints participating in the session.