This note documents detection patterns related to WinRM Exec within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4624 | Successful logon | High | Network logon via WinRM authentication. |
| Security | 4672 | Special privileges assigned | High | Administrative privileges used during remote session. |
| Security | 4688 | Process created | Critical | Command execution spawned through WinRM session. |
| Microsoft-Windows-WinRM/Operational | 91 | WinRM session created | Critical | Indicates remote WinRM session established. |
| Sysmon | 1 | Process creation | High | powershell.exe or cmd.exe spawned via WinRM. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| PowerShell remote session | powershell.exe with remote session parameters | High | Typical WinRM usage. |
| Network communication on 5985/5986 | HTTP/HTTPS WinRM traffic | Medium | Supports remote command execution. |
| Parent process chain | wsmprovhost.exe spawning shell | Critical | Common WinRM execution artifact. |
Common Tools
| Tool | Usage |
|---|---|
| Evil-WinRM | Popular offensive WinRM shell. |
| PowerShell Enter-PSSession | Native remote PowerShell execution. |
| PowerShell Invoke-Command | Executes commands over WinRM. |
| CrackMapExec | Automates WinRM lateral movement. |
Relevant Artifacts
- Security logs (4624, 4672, 4688)
- WinRM operational logs
- Sysmon process logs
- Network logs for ports 5985 / 5986
- EDR telemetry
- PowerShell transcript logs
MITRE ATT&CK References
- T1021 Remote Services
- T1021.006 Windows Remote Management
Decision Tree
- Detect WinRM session creation.
- Identify source host.
- Inspect authentication account.
- Review executed command.
- Determine lateral movement scope.
Example Detection Templates
KQL
DeviceProcessEvents
| where InitiatingProcessFileName == "wsmprovhost.exe"
EQL
process where parent.name == "wsmprovhost.exe"
Sigma
title: Suspicious WinRM Command Execution
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: wsmprovhost.exe
condition: selection
level: high
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| WinRM restrictions | Limit remote management access | High | Reduces attack surface. |
| Monitoring | Alert on wsmprovhost spawning shells | High | Strong detection signal. |
| Credential hygiene | Limit admin credential reuse | Critical | Prevents lateral movement. |