Adversaries using WinRM to remotely execute commands, launch child processes, or access WMI. The detection chain includes service use, network activity, remote session logon, and process creation within a short temporal window.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Service Metadata (DC0041) | WinEventLog:WinRM | EventCode=6 |
| Network Traffic Flow (DC0078) | NSM:Connections | Inbound on ports 5985/5986 |
| Field | Description |
|---|---|
| TimeWindow | Defines max time between remote shell creation and child process execution (e.g., 60 seconds) |
| UserContext | Scope to unexpected remote user logons (non-admins, service accounts) |
| CommandLineAnomalyScore | Score for suspicious command usage via WinRM (e.g., encoded PowerShell) |
| KnownAdminHosts | List of trusted systems allowed to use WinRM legitimately |