Windows Remote Management (T1028)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Windows Remote Management

Associated Tactics

  • Execution
  • Lateral Movement

Execution (TA0002)

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

View on ATT&CK

Procedure Examples

Description Source(s)
capec
Microsoft. (n.d.). Windows Remote Management. Retrieved November 12, 2014. Microsoft WinRM
Jacobsen, K. (2014, May 16). Lateral Movement with PowerShell[slides]. Retrieved November 12, 2014. Jacobsen 2014
French, D. (2018, September 30). Detecting Lateral Movement Using Sysmon and Splunk. Retrieved October 11, 2019. Medium Detecting Lateral Movement