Home  >  APT29  >  Results  >  F-Secure  >  Windows Remote Management

Technique Results: Windows Remote Management (T1028) Technique Page Information

The ATT&CK technique page displays all procedures used to test the technique, and their respective detections. The Procedure column contains a description of how the technique was tested . The Step column is where the procedure occurred in the operational flow. Click the Step Number to view it in the Operational Flow panel. Detections are classified by one or more Detection Types, summarized by the Detection Notes, and may be supported by screenshots.

MITRE does not assign scores, rankings, or ratings. The evaluation results are available to the public, so other organizations may provide their own analysis and interpretation - these are not endorsed or validated by MITRE.

Vendor Configuration     All Results JSON Legend
Legend
Main Detection Categories: Detection Modifiers:

None

Telemetry

Indicator of
Compromise

General
Behavior

MSSP

General

Tactic

Specific
Behavior

Technique

Enrichment

Tainted

Alert

Correlated

Delayed

Host
Interrogation

Residual
Artifact

Configuration
Change

Innovative
Procedures Criteria Step
Detection Type Detection Notes
Established WinRM connection to remote host Scranton (10.0.1.4)
Network connection to Scranton (10.0.1.4) over port 5985
8.A.2
Technique (Alert)
A Technique alert detection (medium severity) was generated due to PowerShell using WinRM. [1] [2]
Telemetry
Telemetry showed powershell.exe executing Invoke-Command and connected to remote host Scranton (10.0.1.4) over port 5985. [1] [2]
Established a WinRM connection to the domain controller host NewYork (10.0.0.4)
Network connection to NewYork (10.0.0.4) over port 5985
16.C.1
Technique (Alert)
A Technique alert detection (informational severity) for Windows Remote Management was generated for powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. [1]
Telemetry
Telemetry showed powershell.exe making a network connection to remote host NewYork (10.0.0.4) over port 5985. [1]
Established a WinRM connection to the remote host Scranton (10.0.1.4) using the Golden Ticket as credentials
Network connection to Scranton (10.0.1.4) over port 5985
20.B.2
Technique (Alert)
A Technique alert detection (informational severity) was generated for PowerShell using Windows Remote Management. [1]
Telemetry
Telemetry showed PowerShell execution of Enter-PSSession and the corresponding powershell.exe network connection to remote host Scranton (10.0.1.4) over port 5985. [1] [2]