Lateral Movement via WinRM Quiz

1.Why is WinRM commonly available across enterprise environments without the attacker enabling anything?

• Because attackers typically enable it as their first step
• Because WinRM is enabled by default on Windows Server 2012+ and commonly pushed to workstations via Group Policy
• Because WinRM is part of the NTLM protocol
• Because it shares a port with SMB

2.Why might an attacker choose WinRM over PsExec-style execution for lateral movement?

• Because WinRM is faster than PsExec
• Because WinRM uses an existing service (no new service creation), provides an interactive PowerShell session, and creates less forensic footprint than PsExec
• Because PsExec cannot authenticate with domain credentials
• Because WinRM does not require any credentials

3.What is the difference between the Remote Management Users group and the local Administrators group for WinRM access?

• There is no difference — both provide the same access via WinRM
• Remote Management Users grants WinRM access at the user's own privilege level, while local Administrators grants full administrative control; both can authenticate via WinRM
• Remote Management Users can only use WinRM on the local machine
• Only local Administrators can use WinRM; Remote Management Users is for RDP only

4.What authentication methods work with WinRM, and why does this matter for an attacker?

• WinRM only accepts plaintext passwords
• WinRM authenticates via Kerberos or NTLM, meaning both Pass the Hash and Pass-the-Ticket work — the attacker can use whatever credential material they have
• WinRM requires certificate-based authentication only
• WinRM bypasses all authentication

5.What is the primary detection challenge with WinRM-based lateral movement?

• WinRM traffic is encrypted and cannot be inspected
• The connection uses standard Windows authentication on standard ports, making it functionally identical to legitimate remote administration — detection depends on source-destination pattern analysis and PowerShell logging
• WinRM does not generate any Windows events
• Antivirus cannot detect WinRM connections

6.How would you explain WinRM lateral movement risk to a stakeholder?

• Hackers exploit a vulnerability in WinRM to gain unauthorized access
• An attacker with stolen credentials can use the built-in remote management service to connect to computers across the network, and the connection looks identical to normal administrative activity
• WinRM should be disabled on all systems to prevent lateral movement
• WinRM is an outdated protocol that should be replaced with a more secure alternative