1. Home
  2. ATT&CK Techniques
  3. T1021.006 Windows Remote Management

T1021.006 Windows Remote Management Mappings

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CM-06 Configuration Settings mitigates T1021.006 Windows Remote Management
CM-05 Access Restrictions for Change mitigates T1021.006 Windows Remote Management
AC-17 Remote Access mitigates T1021.006 Windows Remote Management
RA-05 Vulnerability Monitoring and Scanning mitigates T1021.006 Windows Remote Management
CM-08 System Component Inventory mitigates T1021.006 Windows Remote Management
SC-46 Cross Domain Policy Enforcement mitigates T1021.006 Windows Remote Management
CM-02 Baseline Configuration mitigates T1021.006 Windows Remote Management
IA-02 Identification and Authentication (Organizational Users) mitigates T1021.006 Windows Remote Management
CM-07 Least Functionality mitigates T1021.006 Windows Remote Management
SI-04 System Monitoring mitigates T1021.006 Windows Remote Management
AC-02 Account Management mitigates T1021.006 Windows Remote Management
AC-03 Access Enforcement mitigates T1021.006 Windows Remote Management
AC-04 Information Flow Enforcement mitigates T1021.006 Windows Remote Management
AC-05 Separation of Duties mitigates T1021.006 Windows Remote Management
AC-06 Least Privilege mitigates T1021.006 Windows Remote Management
SC-07 Boundary Protection mitigates T1021.006 Windows Remote Management

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.malware.variety.Export data Export data to another site or system related-to T1021.006 Windows Remote Management

AWS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1021.006 Windows Remote Management
Comments
VPC security groups and network access control lists (NACLs) can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
    aws_network_firewall AWS Network Firewall technique_scores T1021.006 Windows Remote Management
    Comments
    AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to only allow remote services from trusted hosts (i.e., only allow remote access traffic from certain hosts). This mapping is given a score of Partial because even though it can restrict remote services traffic from untrusted hosts, it cannot protect against an adversary using a trusted host that is permitted to use remote services as part of an attack.
    References