Windows Remote Management (T1021.006)

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.(Citation: MSDN WMI)

Related Prelude attack chains
Release Date (Newest)
Search for chains, TTPs, themes, and text

Browse By:


  • All
  • Windows
  • Linux
  • Global
  • Darwin
  • Android