Windows Remote Shell (WinRS) is a command-line tool which relies on Windows remote management to execute remote commands. This tool can be used as a method of propagation on a remote machine from an infected host. Usage of the RCE tool can be seen through the configuration of Window’s audit logs and Sysmon logs.
- A remote attacker infects an internal host in a victim’s network via an unspecified vulnerability.
- From the infected host, the attacker attempts to propagate via the usage of an internal windows tool (WinRS) that allows for remote commands to be executed on remote machines. Execution of the tool will create a Windows event log for process creation and termination.
- The remote machine responds with the results of the command.
- The remote attacker must have access to the internal host.
- Credentials may be needed to execute commands on a remote server.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
The attacker must have exploited some other entry vector to gain access to the local victim host. Ensure that all software on internet-facing hosts is up-to-date.