Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol. This is a SOAP based protocol over http(s) on port(s) 5985, 5986. WinRM is used as a way for systems to access and exchange information across networked infrastructure. Many infrastructure as code and configuration management tools leverage WinRM to manage Windows servers.
Canary's WinRM service implements a minimal set of the WS-Management Protocol. This allows a Canary to appear as a box running WinRM. When a client such as Powershell tries to connect or execute a remote script, Canary fires off an alert. Authentication is required prior to running any WinRM commands. It is during this exchange (Basic auth, NTLM, Kerberos) that the Canary gathers details about the connecting client and gracefully denies further access.
Setting Up WinRM
Near the bottom of the Configure Canary modal you'll see the enable Windows Remote Management toggle and the WinRM configuration options. Defaults are both http and https running on the typical ports. Deploy these settings.
Interacting with Canary WinRM Service
Powershell commands New-PSSession, Enter-PSSession, Invoke-Command allow running commands on a remote host via WinRM.
PS C:\Users\Administrator> $psOptions = New-PSSessionOption -SkipCNCheck -SkipCACheck
PS C:\Users\Administrator> Enter-PSSession -URI https://10.0.1.107:5986 -Credential (Get-Credential) -Authentication Basic -SessionOption $psOptions
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
Enter-PSSession : Connecting to remote server 10.0.1.107 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help
topic.
At line:1 char:1
+ Enter-PSSession -URI https://10.0.1.107:5986 -Credential (Get-Credent ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (https://10.0.1.107:5986/:Uri) [Enter-PSSession], PSRemotingTransportException
+ FullyQualifiedErrorId : CreateRemoteRunspaceFailed
Enter-PSSession tried to initiate a session using Basic auth. Our Canary played along and finally denied the connection. Checking the Console we see the reported incident and related information.
Basic auth sends over username and password eg: Username: Adam and Password: PAMPASS. Depending on the Auth Type used we can gather different info. Auth type Kerberos or NTLM don't reveal a password. WinRM sends over xml payloads (SOAP based protocol) and these are captured as is and sent to the Console. These payloads will vary and are not processed as they may be malicious. Security teams may find useful info within and Canary exposes this for assisting such teams.