title: Windows Remote Management (T1021.006)
id: df00tech-t1021-006
status: experimental
description: "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). WinRM is a Windows service and protocol allowing remote execution of commands, registry modification, and service management. It can be invoked via the winrm command, PowerShell's Invoke-Command/Enter-PSSession, or tools like Evil-WinRM used by Storm-0501. Other users include Cobalt Strike (WinRM for Beacon delivery), Brute Ratel C4, Chimera, and FIN13. WinRM operates over HTTP (5985) and HTTPS (5986) and requires valid credentials plus network access. When disabled by default on client systems, adversaries may first enable it via registry modification or Group Policy."
references:
  - https://attack.mitre.org/techniques/T1021/006/
  - https://df00tech.com/detections/T1021.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1021.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT administrators using PowerShell remoting (Enter-PSSession, Invoke-Command) for legitimate remote system management"
  - SCCM/Intune and other configuration management platforms that use WinRM for remote script execution
  - "Monitoring agents (SCOM, Datadog, SolarWinds) that collect data via WinRM"
  - Ansible on Windows using WinRM as its transport layer for configuration management playbooks
  - Automated patch management and software deployment processes that leverage PowerShell remoting
level: high