T1021.006 Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).1 It may be called with the winrm command or by any number of programs such as PowerShell.2 WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.3
| Item | Value |
|---|---|
| ID | T1021.006 |
| Sub-techniques | T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006 |
| Tactics | TA0008 |
| Platforms | Windows |
| Permissions required | Administrator, User |
| Version | 1.1 |
| Created | 11 February 2020 |
| Last Modified | 23 June 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0016 | APT29 | APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.9 |
| G0114 | Chimera | Chimera has used WinRM for lateral movement.12 |
| S0154 | Cobalt Strike | Cobalt Strike can use WinRM to execute a payload on a remote host.78 |
| S0692 | SILENTTRINITY | SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.6 |
| G0027 | Threat Group-3390 | Threat Group-3390 has used WinRM to enable remote execution.11 |
| G0102 | Wizard Spider | Wizard Spider has used Window Remote Management to move laterally through a victim network.10 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | Disable the WinRM service. |
| M1030 | Network Segmentation | If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.5 |
| M1026 | Privileged Account Management | If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0028 | Logon Session | Logon Session Creation |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | Process Creation |
| DS0019 | Service | Service Metadata |
References
-
Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014. ↩
-
Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014. ↩
-
Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016. ↩
-
French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019. ↩
-
National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018. ↩
-
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. ↩
-
Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. ↩
-
DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. ↩
-
Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. ↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩