Evil-Winrm Detection

Objectives:
Gain a basic understanding of the initial steps involved in investigating a system using the Windows Remote Management (WinRM) protocol.

Steps:
1. Port Identification: Evil-WinRM typically targets systems using a specific port, commonly 5985 for HTTP or 5986 for HTTPS.

2. Authentication: After identifying the port, Evil-WinRM attempts to authenticate with the target Windows system using the provided credentials. This includes options like IP, username and password.

3. Session Establishment: Upon successful authentication, Evil-WinRM initiates a Remote PowerShell session with the target system. This established connection allows for further interaction and potential exploitation activities.

Using NMAP to identify the open port.

The observation of an exposed port 5985 presents an elevated risk for attackers to leverage the Windows Remote Management (WinRM) service for potential remote code execution (RCE) attacks.

Using Evil-winrm in Linux.

Triggered Event ID 4103 and 800.

Event ID 4103

Event ID 800

Testing Event ID with the wrong command.

QRadar detection rule:-

QRadar Rule

Generated an alert on the QRadar console.

Rule Triggered

Sigma Rule:

title: Hacktool Evil-Winrm Tool
id: b1d34cd1-5c5d-481d-821d-4e17d8b73fa1
status: Experimental
description: Suspicious usage of Evil-Winrm detection using PowerShell event.
author: Rohit Jain
date: 2024/02/25
tags:
    - attack.initial_access
logsource:
    product: windows
    category: ps_module
detection:
    event id: 4103
    selection:
        Payload|Message|contains|all:
            - Invoke-Expression
            - (get-location).path
            - CommandInvocation(Out-String)
            - ParameterBinding(Out-Default)
            - value=(\"C:\\Users\\(.{1,})\\Documents\")
            - C:\Windows\system32\wsmprovhost.exe
    condition: selection
falsepositives:
    - N/A
level: Medium