Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | CrowdStrike AMS | T1021.006 | Windows Remote Management |
Comments
Intel Threat Detection Technology (TDT), combined with CrowdStrike Falcon Accelerated Memory Scanning (CAMS), enhances cybersecurity defenses by enabling faster, real-time detection of Windows Remote Management (T1028) attacks. This integrated solution strengthens CrowdStrike Falcon, improving its ability to detect and mitigate cyber threats earlier in the kill chain while minimizing system performance impact.
Windows Remote Management (T1028) allows administrators to remotely manage Windows systems, but it is also frequently targeted by adversaries to gain remote access to a network. Attackers often exploit Windows Management Instrumentation (WMI) or PowerShell remoting to issue commands, execute code, or move laterally across a network using this tool. Intel TDT plays a crucial role by providing real-time telemetry on program execution, memory access, and control flow, enabling detection of unusual or unauthorized use of remote management tools, such as unexpected remote sessions or malicious commands being issued to target systems.
References
|