T1021.006 Windows Remote Management Mappings

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-17 Remote Access Protects T1021.006 Windows Remote Management
AC-02 Account Management Protects T1021.006 Windows Remote Management
AC-03 Access Enforcement Protects T1021.006 Windows Remote Management
AC-04 Information Flow Enforcement Protects T1021.006 Windows Remote Management
AC-05 Separation of Duties Protects T1021.006 Windows Remote Management
AC-06 Least Privilege Protects T1021.006 Windows Remote Management
CM-02 Baseline Configuration Protects T1021.006 Windows Remote Management
CM-05 Access Restrictions for Change Protects T1021.006 Windows Remote Management
CM-06 Configuration Settings Protects T1021.006 Windows Remote Management
CM-07 Least Functionality Protects T1021.006 Windows Remote Management
CM-08 System Component Inventory Protects T1021.006 Windows Remote Management
IA-02 Identification and Authentication (organizational Users) Protects T1021.006 Windows Remote Management
RA-05 Vulnerability Monitoring and Scanning Protects T1021.006 Windows Remote Management
SC-46 Cross Domain Policy Enforcement Protects T1021.006 Windows Remote Management
SC-07 Boundary Protection Protects T1021.006 Windows Remote Management
SI-04 System Monitoring Protects T1021.006 Windows Remote Management