Lateral Movement: Windows Remote Management
In order to achieve lateral movement, threat actors will use a valid account to access remote systems, such as the Windows Remote Management service. In this way, the threat actor can move around the network and search for valuable information or greater access. Learn more and get hands-on with this technique by detecting it in our virtual lab.
Already have an account? Sign In »
Module 1: APT29 Introduction
Module 2: Lateral Movement: Windows Remote Management
2.1What is the “Remote Services: Windows Remote Management” Technique?
2.2Detection, Validation, and Mitigation (Lab)
Lateral Movement is the general group of techniques used to expand access to other systems and applications within a compromised environment. This course will focus on technique Remote Services, and specifically the sub-technique Windows Remote Management. Publicly available threat intelligence suggests that APT29 has made use of this sub-technique to run commands and launch payloads laterally on other hosts in target environments.
Windows Remote Management (“WinRM”) is a service specifically designed to enable remote interaction with another Windows system in a network. It is therefore an ideal candidate for adversaries that wish to move laterally in an environment where this service is available and where the adversary possesses access to sufficiently privileged credentials.
Learn how to detect and mitigate this technique to protect your organization from this highly sophisticated type of attack.
Apply what you learn and get the hands-on skills you need in Cybrary's MITRE ATT&CK Framework courses aligned to the tactics and techniques used by the threat group APT29. Prevent adversaries from accomplishing the tactic of lateral movement.
Chris Daywalt
Security Freelancer
Matthew Mullins
Technical Manager, Red Team
Complete this entire course to earn a Lateral Movement: Windows Remote Management Certificate of Completion