Description
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)
Network Pentesting Methodology
Read our in-depth pentesting guide related to this technique
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Disable the WinRM service.
Privileged Account ManagementM1026
If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.
Network SegmentationM1030
If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.(Citation: NSA Spotting)
Threat Groups (5)
| ID | Group | Context |
|---|---|---|
| G1016 | FIN13 | [FIN13](https://attack.mitre.org/groups/G1016) has leveraged `WMI` to move laterally within a compromised network via application servers and SQL serv... |
| G0114 | Chimera | [Chimera](https://attack.mitre.org/groups/G0114) has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021) |
| G1053 | Storm-0501 | [Storm-0501](https://attack.mitre.org/groups/G1053) has utilized the post-exploitation tool known as Evil-WinRM that uses PowerShell over Windows Remo... |
| G0027 | Threat Group-3390 | [Threat Group-3390](https://attack.mitre.org/groups/G0027) has used WinRM to enable remote execution.(Citation: SecureWorks BRONZE UNION June 2017) |
| G0102 | Wizard Spider | [Wizard Spider](https://attack.mitre.org/groups/G0102) has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CIS... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1063 | Brute Ratel C4 | Tool | [Brute Ratel C4](https://attack.mitre.org/software/S1063) can use WinRM for pivoting.(Citation: Palo Alto Brute Ratel July 2022) |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can use <code>WinRM</code> to execute a payload on a remote host.(Citation: cobaltstrike manu... |
| S0692 | SILENTTRINITY | Tool | [SILENTTRINITY](https://attack.mitre.org/software/S0692) tracks `TrustedHosts` and can move laterally to these targets via WinRM.(Citation: GitHub SIL... |
References
- French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019.
- Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.
- Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
- Microsoft. (n.d.). Windows Remote Management. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1021.006 (Windows Remote Management)?
T1021.006 is a MITRE ATT&CK technique named 'Windows Remote Management'. It belongs to the Lateral Movement tactic(s). Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the l...
How can T1021.006 be detected?
Detection of T1021.006 (Windows Remote Management) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1021.006?
There are 3 documented mitigations for T1021.006. Key mitigations include: Disable or Remove Feature or Program, Privileged Account Management, Network Segmentation.
Which threat groups use T1021.006?
Known threat groups using T1021.006 include: FIN13, Chimera, Storm-0501, Threat Group-3390, Wizard Spider.