1. Home
  2. Techniques
  3. Enterprise
  4. Remote Services
  5. Windows Remote Management

Remote Services: Windows Remote Management

ID Name
T1021.001 Remote Desktop Protocol
T1021.002 SMB/Windows Admin Shares
T1021.003 Distributed Component Object Model
T1021.004 SSH
T1021.005 VNC
T1021.006 Windows Remote Management
T1021.007 Cloud Services
T1021.008 Direct Cloud VM Connections

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).[1] It may be called with the winrm command or by any number of programs such as PowerShell.[2] WinRM can be used as a method of remotely interacting with Windows Management Instrumentation.[3]

ID: T1021.006
Sub-technique of:  T1021
Tactic: Lateral Movement
Platforms: Windows
Version: 1.2
Created: 11 February 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1063 Brute Ratel C4

Brute Ratel C4 can use WinRM for pivoting.[4]
G0114 Chimera

Chimera has used WinRM for lateral movement.[5]
S0154 Cobalt Strike

Cobalt Strike can use WinRM to execute a payload on a remote host.[6][7]
G1016 FIN13

FIN13 has leveraged WMI to move laterally within a compromised network via application servers and SQL servers.[8]
C0048 Operation MidnightEclipse

During Operation MidnightEclipse, threat actors used WinRM to move laterally in targeted networks.[9]
S0692 SILENTTRINITY

SILENTTRINITY tracks TrustedHosts and can move laterally to these targets via WinRM.[10]
C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 used WinRM via PowerShell to execute commands and payloads on remote hosts.[11]
G1053 Storm-0501

Storm-0501 has utilized the post-exploitation tool known as Evil-WinRM that uses PowerShell over Windows Remote Management (WinRM) for remote code execution.[12]
G0027 Threat Group-3390

Threat Group-3390 has used WinRM to enable remote execution.[13]
G0102 Wizard Spider

Wizard Spider has used Window Remote Management to move laterally through a victim network.[14]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

Disable the WinRM service.
M1030 Network Segmentation

If the service is necessary, lock down critical enclaves with separate WinRM infrastructure and follow WinRM best practices on use of host firewalls to restrict WinRM access to allow communication only to/from specific devices.[15]
M1026 Privileged Account Management

If the service is necessary, lock down critical enclaves with separate WinRM accounts and permissions.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0477 Behavioral Detection of WinRM-Based Remote Access AN1313

Adversaries using WinRM to remotely execute commands, launch child processes, or access WMI. The detection chain includes service use, network activity, remote session logon, and process creation within a short temporal window.

References

  1. Microsoft. (n.d.). Windows Remote Management. Retrieved September 12, 2024.
  2. Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014.
  3. Microsoft. (n.d.). Windows Management Instrumentation. Retrieved April 27, 2016.
  4. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  5. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  6. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  7. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  8. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  1. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  2. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  3. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  4. Microsoft Threat Intelligence. (2025, August 27). Storm-0501’s evolving techniques lead to cloud-based ransomware. Retrieved October 19, 2025.
  5. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  6. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
  7. National Security Agency/Central Security Service Information Assurance Directorate. (2015, August 7). Spotting the Adversary with Windows Event Log Monitoring. Retrieved September 6, 2018.