T1021.006 Windows Remote Management
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).1 It may be called with the
winrm command or by any number of programs such as PowerShell.2 WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.3
|T1021.001, T1021.002, T1021.003, T1021.004, T1021.005, T1021.006, T1021.007
|11 February 2020
|23 June 2021
|Brute Ratel C4
|Brute Ratel C4 can use WinRM for pivoting.7
|Chimera has used WinRM for lateral movement.12
|Cobalt Strike can use
WinRM to execute a payload on a remote host.89
TrustedHosts and can move laterally to these targets via WinRM.6
|During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.13
|Threat Group-3390 has used WinRM to enable remote execution.11
|Wizard Spider has used Window Remote Management to move laterally through a victim network.10
|Disable or Remove Feature or Program
|Disable the WinRM service.
|If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.5
|Privileged Account Management
|If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.
|Logon Session Creation
|Network Connection Creation