Skip to main content

Search

Windows Remote Management (WinRM)

Canary's WinRM service mimics Windows Remote Management to detect remote command attempts, capturing authentication and connection details for early threat detection.

Windows Remote Management (WinRM) is the Microsoft implementation of the WS-Management Protocol. This is a SOAP-based protocol over HTTP (s) on port(s) 5985, 5986. WinRM is used as a way for systems to access and exchange information across networked infrastructure. Many infrastructure as code and configuration management tools leverage WinRM to manage Windows servers.

How WinRM works

Canary's WinRM service implements a minimal set of the WS-Management Protocol. This allows a Canary to appear as a box running WinRM. When a client, such as PowerShell, tries to connect or execute a remote script, Canary fires off an alert.

Authentication is required before running any WinRM commands. It is during this exchange (Basic auth, NTLM, Kerberos) that the Canary gathers details about the connecting client and gracefully denies further access.

Setting Up WinRM

Log in to your Console. Click on the Canary you want to configure. Click on Configure Canary to open its settings.

Near the bottom of the modal, you'll see the Windows Remote Management toggle and the WinRM configuration options.

Defaults are both HTTP and HTTPS running on the typical ports. Deploy these settings.

mceclip1.png

Interacting with Canary WinRM Service

PowerShell commands New-PSSession, Enter-PSSession, and Invoke-Command allow running commands on a remote host via WinRM.

PS C:\Users\Administrator> $psOptions = New-PSSessionOption -SkipCNCheck -SkipCACheck
PS C:\Users\Administrator> Enter-PSSession -URI https://10.0.1.107:5986 -Credential (Get-Credential) -Authentication Basic -SessionOption $psOptions

cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession : Connecting to remote server 10.0.1.107 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help
topic.
At line:1 char:1
+ Enter-PSSession -URI https://10.0.1.107:5986 -Credential (Get-Credent ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (https://10.0.1.107:5986/:Uri) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed

Enter-PSSession tried to initiate a session using Basic auth. Our Canary played along and finally denied the connection. Checking the Console we see the reported incident and related information

CleanShot 2024-07-25 at 14.41.42@2x.png

Basic auth sends over username and password eg: Username: Adam and Password: PAMPASS. Depending on the Auth Type used we can gather different info. Auth type Kerberos or NTLM don't reveal a password.

WinRM sends over XML payloads (SOAP-based protocol) and these are captured as is and sent to the Console. These payloads will vary and are not processed as they may be malicious. Security teams may find useful info within and Canary exposes this for assisting such teams.

Was this article helpful?
3 out of 3 found this helpful
Return to top