T1021.006: T1021.006

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 19:29 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1021.006
Confidence: 100/100
Revoked: No
Published: 11/02/2020 19:29
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Windows Remote Management

Platforms

windows

Description

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)

Kill chain phases

Kill chain	Phase
mitre-attack	lateral-movement

Marking (TLP)

External references

Medium Detecting Lateral Movement
Jacobsen 2014
MSDN WMI
Microsoft WinRM
mitre-attack (T1021.006)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (26)

APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
The Gentlemen uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-60 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UTA0137 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
OilRig uses COBALT GYPSYIRN2

The MITRE Corporation Confidence 100

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hydra Saiga uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0494 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GrayCharlie uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Storm-0501 uses

The MITRE Corporation Confidence 100

[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Chimera related

The MITRE Corporation Confidence 100

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Crypt Ghouls related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 26

QReverse uses

Family
AnyDesk uses

Family
BlackCat uses
ToneShell uses

Family
LuminousMoth uses

Family
Cactus uses

Family
Cobalt Strike Beacon uses

Family
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
svcmgmt.exe uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
POISONPLUG.SHADOW uses

Family
ShadowPad - S0596 uses

Family
BlackCat - S1068 uses

Family

← Previous

Page / 6

1–12 of 72

Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Ransomware Analysis: Go Binary and Fast Encryption related

AlienVault Confidence 100 1 CVE 20 MITREs 4 Malwares 3 IOCs 3 Observables 1 APT
Inside the Cross-Platform Propagation of a New Gafgyt … related

AlienVault Confidence 100 5 CVEs 20 MITREs 2 Malwares 18 IOCs 18 Observables
Threat landscape — Belgium related

Confidence 100 18 CVEs 200 MITREs 200 Malwares 20 APTs 26 Tools
The Gentlemen ransomware: Dissecting a self-propagating Go encryptor related

19 MITREs 2 Malwares 2 Observables 1 APT
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Inside Vect Ransomware-as-a-Service related

19 MITREs 2 Malwares 2 Observables 1 APT
Inside Shadow-Earth-053: A China-Aligned Cyberespionage Campaign Against Government … related

5 CVEs 19 MITREs 7 Malwares 44 Observables 1 APT
VECT: Ransomware by design, Wiper by accident related

AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
fast16 | Mystery ShadowBrokers Reference Reveals High-Precision Software … related

AlienVault Confidence 100 20 MITREs 3 Malwares 15 IOCs 15 Observables
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
Using KATA and KEDR to detect the AdaptixC2 … related

20 MITREs 8 Malwares

← Previous

Page / 3

1–12 of 33

Vulnerabilities (CVE) (25)

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-3400 KEV targets

10.0 Critical

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges …

Attack vector: Network
Published: 12/04/2024
Modified: 21/12/2025

CVE-2025-12480 KEV targets

9.1 Critical

Triofox versions prior to 16.7.10368.56560, are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after …

Attack vector: Network
Published: 12/11/2025
Modified: 21/12/2025

Analyzed

CVE-2021-36260 KEV targets

A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation.

Published: 10/01/2022
Modified: 20/12/2025

CVE-2025-30406 KEV targets

9.0 Critical

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Attack vector: Network
Published: 08/04/2025
Modified: 21/12/2025

Received

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-53770 KEV targets

9.8 Critical

Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware …

Attack vector: Network
Published: 20/07/2025
Modified: 21/12/2025

Analyzed

CVE-2025-49706 KEV targets

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2022-35914 KEV targets

9.8 Critical

Teclib GLPI contains a remote code execution vulnerability in the third-party library, htmlawed.

Attack vector: Network
Published: 07/03/2023
Modified: 04/06/2026

← Previous

Page / 3

1–12 of 25

T1021 subtechnique-of

Remote Services MITRE

Campaign (2)

SolarWinds Compromise uses
Operation MidnightEclipse uses

Course Of Action (2)

Privileged Account Management mitigates
Disable or Remove Feature or Program mitigates

Tool (2)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
SILENTTRINITY uses

The MITRE Corporation Confidence 100

[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a…

Contact About Legal notice Privacy policy Terms of use