T1021.006 Windows Remote Management Mappings

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-17 Remote Access Protects T1021.006 Windows Remote Management
AC-2 Account Management Protects T1021.006 Windows Remote Management
AC-3 Access Enforcement Protects T1021.006 Windows Remote Management
AC-4 Information Flow Enforcement Protects T1021.006 Windows Remote Management
AC-5 Separation of Duties Protects T1021.006 Windows Remote Management
AC-6 Least Privilege Protects T1021.006 Windows Remote Management
CM-2 Baseline Configuration Protects T1021.006 Windows Remote Management
CM-5 Access Restrictions for Change Protects T1021.006 Windows Remote Management
CM-6 Configuration Settings Protects T1021.006 Windows Remote Management
CM-7 Least Functionality Protects T1021.006 Windows Remote Management
CM-8 System Component Inventory Protects T1021.006 Windows Remote Management
IA-2 Identification and Authentication (organizational Users) Protects T1021.006 Windows Remote Management
RA-5 Vulnerability Monitoring and Scanning Protects T1021.006 Windows Remote Management
SC-46 Cross Domain Policy Enforcement Protects T1021.006 Windows Remote Management
SC-7 Boundary Protection Protects T1021.006 Windows Remote Management
SI-4 System Monitoring Protects T1021.006 Windows Remote Management
network_security_groups Network Security Groups technique_scores T1021.006 Windows Remote Management
Comments
This control can be used to restrict direct access to remote services to trusted networks. This mitigates even an adversary with a valid account from accessing resources. This can be circumvented though if an adversary is able to compromise a trusted host and move laterally to a protected network. This results in an overall partial (coverage) score.
References
    azure_network_traffic_analytics Azure Network Traffic Analytics technique_scores T1021.006 Windows Remote Management
    Comments
    This control can detect anomalous traffic with respect to remote access protocols and groups.
    References