Infection Monkey: Exploiting WinRM With PowerShell Remoting

What did the Monkey say when it saw Windows Remote Management (WinRM) enabled?

Exploit with PowerShell remoting! 🐒🐒🐒

To propagate successfully, ransomware and other threats need an entry point. PowerShell remoting is a common and often fruitful tactic for bad actors looking to gain a foothold in an environment.

The latest version of Infection Monkey shows you just how well you’d fare if an attacker used that tactic on your network today. 

Will current security measures hold? 

How fast can your teams and tools respond?

The Infection Monkey will help you find the answers. As a bonus, if the Monkey is successful, you’ll also see how far it’s able to propagate from the victim machine using any additional tactics you have enabled. Armed with insights from the simulation, you and your team can use it to validate or modify your current security strategy based on real-world data and not textbook hypotheticals.

Just Who Is This Cheeky Yet Clever Primate?

If you haven’t met the Infection Monkey yet, allow us to introduce you! The Infection Monkey, powered by Guardicore, is a breach and attack simulation platform that lets you prove, continuingly, that your security posture is effective and that your team can respond to an incident promptly and effectively.

The Monkey is safe for production use, and it also isn’t choosy. On-premises, containers, public and private clouds are all supported.

How to Go Bananas With the Newest Exploit

1. Configuring the Attack

Navigate to configuration. The PowerShell remoting exploiter will be turned on by default (as will every other exploiter safe to run in production). If you want to focus on this tactic specifically, you can disable all other options. Still, we recommend leaving them on so you can see how many machines the Monkey (and, in turn, an attacker) can infect with other tactics.

infection monkey configuration

You can also click on the network tab to tweak the specifics of a simulated attack’s scope, including:

  • How far the Monkey should spread from the initial machine
  • If the Infection Monkey should attempt to attack any machine in its subnet
  • What subnets should the Monkey attempt to scan and target (and which should it avoid)
infection monkey configuration attack

2. Credentials Breakdown

If you have a specific list of credentials you’d like to test, you can also feed them to the Infection Monkey in the configuration settings. This is especially useful for simulating attacks that use stolen usernames and passwords. 

infection monkey credentials

Don’t worry; the Infection Monkey never distributes this data outside your network and uses it during the simulation only. You can easily eliminate it by resetting the configuration of your Monkey Island.

If you don’t want to get that fancy the first time you run the Monkey, don’t worry, the Monkey has plenty of default tricks up its sleeves (well, it would if it wore a shirt). 

Both Linux and Windows attackers can run the PowerShell remoting exploiter. On Windows attackers, the exploiter can use the cached username and password from the current user. On both Linux and Windows attackers, the exploiter uses all combinations of the [user-configured usernames and passwords]({{< ref “/usage/configuration/basic-credentials”>}}), as well as and LM or NT hashes that the Monkey collected from compromised machines.

Different combinations of credentials are attempted in the following order:

  1. Cached username and password (Windows attacker only): The exploiter will use the stored credentials of the current user to attempt to log into the victim machine.

  2. Brute force usernames with blank passwords: Windows allows you to configure a user with a blank/empty password. The exploiter will attempt to log into the victim machine using each username set in the [configuration]({{< ref “/usage/configuration/basic-credentials” >}}) with a blank password.
    In order for the attacker to connect with a blank password, the victim must have enabled basic authentication, http and no encryption.

  3. Brute force usernames with cached password (Windows attacker only) :The exploiter will attempt to log into the victim machine using each username set in the [configuration]({{< ref “/usage/configuration/basic-credentials”
    }}) and the current user’s cached password.

  4. Brute force usernames and passwords: The exploiter will attempt to use all combinations of usernames and passwords that were set in the [configuration.]({{< ref “/usage/configuration/basic-credentials” >}})

  5. Brute force usernames and LM hashes: The exploiter will attempt to use all combinations of usernames that were set in the [configuration]({{< ref “/usage/configuration/basic-credentials” >}}) and LM hashes that were collected from any other victims.

  6.  Brute force usernames and NT hashes: The exploiter will attempt to use all combinations of usernames that were set in the [configuration]({{< ref “/usage/configuration/basic-credentials” >}}) and NT hashes that were collected from any other victims.

 

LM and NT hashes can also be set in the configuration by the user (see screenshot). So the Monkey will use the configured hashes and the ones collected from other victims.

infection monkey configuration hashes

3. Run the Monkey!

Now it’s time to release the Infection Monkey against your network. Click Run Monkey and select where you’d like the Monkey to start its attack.

infection monkey run the monkey

While the Monkey agents get down to business, you can monitor their progress in the Infection Map view.

4. Review the Data

Once the simulation is complete, you can navigate to the Reports section to see more detailed information on the Monkey’s activities in your network. The results will also include actionable recommendations for improving your security posture.

infection monkey review the data

In the Security Report, you’ll be able to see the specifics of how an attack involving PowerShell remoting would unfold today in your network. 

Find an issue? Microsoft provides documentation covering security concerns related to PowerShell remoting.

5. Rinse and Repeat

Think you’ve resolved all security issues? 

Great—now go tell the Monkey to get back to work! Running the Infection Monkey after any changes helps ensure your organization is prepared for today’s evolving threats.

With ransomware on the rise, it’s recommended organizations of any size take a moment to check if they are vulnerable to this PowerShell exploiter. By regularly simulating the behavior of malware and attackers in the real world, you can have confidence in your security posture’s effectiveness when a real threat shows up at your door.

Get the latest Guardicore news

Sign up to read about the latest in cyber security and learn from the Guardicore team with insights about trends and reducing your risk.

FOLLOW US ON

Cyber Threat Intelligence

Get unique information on malicious Internet assets – IP addresses and domain – detected by Guardicore.

SHARE THIS ARTICLE:

Share on facebook
Share on twitter
Share on linkedin
Share on email