Remote Services: Windows Remote Management (T1021.006)
Tactic: Lateral Movement · Platforms: Windows
The interactive view maps 1 detection strategy, 3 mitigations, 5 threat groups, 3 software entries, 2 campaigns to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Remote Services (T1021).
Overview
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). It may be called with the `winrm` command or by any number of programs such as PowerShell. WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.