EXPLORE
Sign In
← Back to Explore
T1021.006

Windows Remote Management

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as Po...

Windows
22
Detections
3
Sources
5
Threat Actors

BY SOURCE

10sigma9splunk_escu3elastic

PROCEDURES (13)

Lateral4 detections

Auto-extracted: 4 detections for lateral

Script Block3 detections

Auto-extracted: 3 detections for script block

Service2 detections

Auto-extracted: 2 detections for service

Powershell2 detections

Auto-extracted: 2 detections for powershell

Child Process2 detections

Auto-extracted: 2 detections for child process

Script Execution Monitoring2 detections

Auto-extracted: 2 detections for script execution monitoring

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Credential1 detections

Auto-extracted: 1 detections for credential

Lateral1 detections

Auto-extracted: 1 detections for lateral

THREAT ACTORS (5)

ChimeraFIN13Storm-0501Threat Group-3390Wizard Spider

DETECTIONS (22)

Enable Windows Remote Management
sigmamedium
Execute Invoke-command on Remote Host
sigmamedium
HackTool - WinRM Access Via Evil-WinRM
sigmamedium
Incoming Execution via PowerShell Remoting
elasticmedium
Incoming Execution via WinRM Remote Shell
elasticmedium
Interactive Session on Remote Endpoint with PowerShell
splunk_escu
Possible Lateral Movement PowerShell Spawn
splunk_escu
Potential Lateral Movement via Windows Remote Shell
sigmamedium
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Remote PowerShell Session Initiated
sigmahigh
Powershell Remote Services Add TrustedHost
splunk_escu
Remote LSASS Process Access Through Windows Remote Management
sigmahigh
Remote PowerShell Session (PS Classic)
sigmalow
Remote PowerShell Session (PS Module)
sigmahigh
Remote PowerShell Session Host Process (WinRM)
sigmamedium
Remote Process Instantiation via WinRM and PowerShell
splunk_escu
Remote Process Instantiation via WinRM and PowerShell Script Block
splunk_escu
Remote Process Instantiation via WinRM and Winrs
splunk_escu
Windows Remote Host Computer Management Access
splunk_escu
Windows Remote Management Execute Shell
splunk_escu
Winrs Local Command Execution
sigmahigh
Wsmprovhost LOLBAS Execution Process Spawn
splunk_escu