Research

Detection of “Evil-WinRM”

What is “evil-winrm”/WinRM?

Evil-WinRM is a post-exploitation tool that provides a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM). It’s widely used in penetration testing and Capture the Flag (CTF) scenarios, like HackTheBox, to establish an interactive shell on a compromised system.

Windows Remote Management (WinRM) is a Windows service that enables remote management of systems. It is based on the Web Services Management (WS-Man) protocol, which allows remote interaction with a system via:

  • Remote command execution
  • Scripting (via PowerShell)
  • Configuration management

By default:

  • WinRM listens on port 5985 (HTTP) and port 5986 (HTTPS).

It supports authentication methods like NTLM, Kerberos, or Basic Authentication (if enabled).

Analysis

In order to make connections via WinRM possible, I opened my victim machine and typed winrm quickconfig which will, as the command hints, quickly configure WinRM. After it is done, I have opened my Kali box and typed the following:

“-p” is the password, censored

As we see, we got a connection. Upon successful authentication, Evil-WinRM initiates a Remote PowerShell session with the target system. The tool is quite simple in the way it works, unlike “ATExec” and “PSExec” that also generate more visibile artifacts like services and task files.

Detection — prerequisites

In order to detect the usage of Evil-WinRM, we will leverage Powershell Module Logging. On the victim machine, I opened group policy editor and perform the following:

  • Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell.
  • Select: Turn on Module Logging
  • Click on “Show” next to “Module Names”, and type:
  • Click OK
  • Open CMD and type gpupdate /force which will force the GP updates immediately.

Now I will re-connect from Kali to my victim machine. After I do that, we can see the artifacts it generates via Event Viewer, under the path Applications and Services Logs > Microsoft > Windows > PowerShell > Operational:

It is important to note, that after the connection is established, every command the attacker will type will replace “(get-location).path”. What we are detecting here is only the initial evil-winrm connection

That’s a solid indicator. Since I am using QRadar as my lab SIEM, I can see the event in this form:

I will parse three fields of interest upon which the detection rule will be created:

  • “Command” which uses the regex Command Name = (.+?(?=\s*Command\sType))
  • “Command Value” which uses the regex value=”(.+?)name
  • “Process Path” which uses the regex Host Application = (.+?(?=\s*Engine\sVersion))

Then, I can create the rule like this:

If you enjoyed the article, feel free to connect with me!

https://www.linkedin.com/in/daniel-koifman-61072218b/
https://x.com/KoifSec
https://koifsec.medium.com/