Keypoints
- Attackers use valid accounts to access remote hosts via WinRM; check for unusual account usage and privilege changes.
- WinRM can run executables and scripts remotely; monitor Process Creation and command arguments for suspicious commands.
- WinRM often uses ports 5985 (HTTP) and 5986 (HTTPS); inspect Network Connection Creation and flow for unexpected remote connections.
- Correlate Service Metadata and Service execution logs; unexpected WinRM service starts or enabling are high-priority alerts.
- Combine Logon Session Creation, command execution, and process ancestry to reduce false positives and confirm lateral movement.
Description:
- Think of WinRM like a remote control for Windows machines — if an attacker gets the remote, they can operate many devices silently from elsewhere.
- WinRM is a service and protocol that lets authenticated users run commands, modify the Registry, and manage services on remote systems; adversaries leverage valid credentials to perform lateral movement and execute actions as the logged-on user, making detection harder and enabling privilege escalation and persistence.
Detection:
- Enable and collect Windows Event Logs for WinRM service start/stop and track Service Metadata changes; alert on unexpected service enablement. Action: forward Microsoft-Windows-WinRM/Operational and System service events to SIEM.
- Log and inspect Process Creation events for winrm, winrs, and PowerShell instances spawned with remote execution flags; alert on atypical parent-child relationships. Action: capture process command-line and parent PID in EDR.
- Monitor Logon Session Creation for remote logons associated with accounts used via WinRM; flag simultaneous or geographically disparate sessions. Action: correlate logon events with network source IPs in authentication logs.
- Inspect network connections on ports 5985 and 5986 and TLS-wrapped traffic to identify unexpected WinRM endpoints; use network sensors or NDR to detect anomalies. Action: create allowlists for known WinRM hosts and alert on deviations.
- Track Network Traffic Flow to identify east-west traffic patterns consistent with lateral movement; prioritize flows originating from hosts that do not normally perform management tasks. Action: use flow data to identify new remote management connections.
- Use EDR to monitor scripts and commands executed via WinRM, and apply detections for common attacker tooling and encoded payloads. Action: quarantine or isolate hosts exhibiting suspicious remote command execution.
- Expect false positives from legitimate automation (patching, configuration management); reduce noise by baselining normal WinRM usage and requiring multi-signal correlation before high-severity alerts. Action: maintain an inventory of management tools and scheduled tasks and exclude validated automation workflows.
Tactics:
Lateral Movement
Platforms:
Windows
Data Sources:
Command: Command Execution, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Metadata
Relationship Citations:
(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020),(Citation: Volexity UPSTYLE 2024),(Citation: Cobalt Strike Manual 4.3 November 2020),(Citation: cobaltstrike manual),(Citation: NCC Group Chimera January 2021),(Citation: Palo Alto Brute Ratel July 2022),(Citation: Sygnia Elephant Beetle Jan 2022),(Citation: Symantec RAINDROP January 2021),(Citation: GitHub SILENTTRINITY Modules July 2019),(Citation: SecureWorks BRONZE UNION June 2017),(Citation: NSA Spotting)