T1021.006 Windows Remote Management Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detect WinRM lateral movement — remote command execution and suspicious WinRM usage
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: wsmprovhost.exe spawning suspicious children on destination (remote execution)
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| where FileName !in~ ("conhost.exe", "WerFault.exe")  // Exclude normal WinRM child processes
| extend Pattern = "WinRM_RemoteExec"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, Pattern
| union (
    // Pattern 2: PowerShell WinRM usage (Invoke-Command, Enter-PSSession, New-PSSession)
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("powershell.exe", "pwsh.exe")
    | where ProcessCommandLine has_any (
        "Invoke-Command", "Enter-PSSession", "New-PSSession",
        "winrm", "PSSession", "-ComputerName", "WSMan"
      )
    | where ProcessCommandLine has_any ("-ComputerName", "-Session", "wsman://")
    | extend Pattern = "WinRM_PSRemoting"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, Pattern
)
| union (
    // Pattern 3: winrm.cmd or winrs.exe execution
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ ("winrs.exe", "winrm.cmd")
    | extend Pattern = "WinRM_DirectTool"
    | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
             InitiatingProcessFileName, Pattern
)
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Network Traffic: Network Connection Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

IT administrators using PowerShell remoting (Enter-PSSession, Invoke-Command) for legitimate remote system management
SCCM/Intune and other configuration management platforms that use WinRM for remote script execution
Monitoring agents (SCOM, Datadog, SolarWinds) that collect data via WinRM
Ansible on Windows using WinRM as its transport layer for configuration management playbooks
Automated patch management and software deployment processes that leverage PowerShell remoting

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-WinRM/Operational")
(
  (EventCode=1
   ParentImage="*\\wsmprovhost.exe"
   NOT Image IN ("*\\conhost.exe", "*\\WerFault.exe", "*\\csc.exe")
  | eval AlertType="WinRM_RemoteExec_Child"
  | table _time, host, User, Image, CommandLine, ParentImage, AlertType)
OR
  (EventCode=1
   (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
   (CommandLine="*Invoke-Command*" OR CommandLine="*Enter-PSSession*" OR CommandLine="*New-PSSession*" OR CommandLine="*-ComputerName*" OR CommandLine="*wsman://*" OR CommandLine="*winrm*")
  | eval AlertType="WinRM_PSRemoting"
  | table _time, host, User, Image, CommandLine, ParentImage, AlertType)
OR
  (EventCode=1
   (Image="*\\winrs.exe" OR CommandLine="*winrm*")
  | eval AlertType="WinRM_DirectTool"
  | table _time, host, User, Image, CommandLine, AlertType)
OR
  (sourcetype="WinEventLog:Microsoft-Windows-WinRM/Operational"
   (EventCode=91 OR EventCode=168)
  | eval AlertType="WinRM_SessionCreated"
  | table _time, host, EventCode, AlertType)
)
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Logon Session: Logon Session Creation Sysmon Event ID 1 Windows WinRM Operational Event IDs 91, 168

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Microsoft-Windows-WinRM/Operational

False Positives

IT administrators using PowerShell remoting for legitimate remote management
SCCM/Intune using WinRM for remote script execution
Monitoring agents collecting data via WinRM
Ansible using WinRM as its Windows transport layer
Automated patch management using PowerShell remoting

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  /* Pattern 1: wsmprovhost.exe spawning suspicious children — remote exec on destination */
  (
    process.parent.name : "wsmprovhost.exe"
    and not process.name : ("conhost.exe", "WerFault.exe", "csc.exe")
  )
  or
  /* Pattern 2: PowerShell WinRM remoting cmdlets */
  (
    process.name : ("powershell.exe", "pwsh.exe")
    and process.command_line : (
      "*Invoke-Command*", "*Enter-PSSession*", "*New-PSSession*",
      "*-ComputerName*", "*wsman://*", "*WSMan*"
    )
  )
  or
  /* Pattern 3: Direct WinRS / WinRM tool usage */
  process.name : ("winrs.exe", "winrm.cmd")
)

high severity high confidence

Data Sources

Elastic Endpoint Security (elastic-agent) Winlogbeat with Sysmon EventID 1 Auditbeat (process module)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-windows.sysmon_operational-*

False Positives

Legitimate IT automation using PowerShell Remoting for patch management or configuration management tools (SCCM, Ansible WinRM provider, DSC pull servers) — expect high volume from management hosts
System administrators using Enter-PSSession or Invoke-Command interactively for routine remote diagnostics; baseline by source host and account to distinguish admin PAWs from endpoints
Monitoring and backup agents that spawn child processes under wsmprovhost.exe during scheduled maintenance windows — whitelist known agent binaries by hash or path

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip                                        AS SourceHost,
  username                                        AS Username,
  "Process Name"                                  AS ProcessName,
  "Process CommandLine"                           AS CommandLine,
  "Parent Process Name"                           AS ParentProcessName,
  CASE
    WHEN "Parent Process Name" ILIKE '%wsmprovhost.exe'
         AND "Process Name" NOT ILIKE '%conhost.exe'
         AND "Process Name" NOT ILIKE '%WerFault.exe'
         AND "Process Name" NOT ILIKE '%csc.exe'
      THEN 'WinRM_RemoteExec'
    WHEN ("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe')
         AND ("Process CommandLine" ILIKE '%Invoke-Command%'
              OR "Process CommandLine" ILIKE '%Enter-PSSession%'
              OR "Process CommandLine" ILIKE '%New-PSSession%'
              OR "Process CommandLine" ILIKE '%-ComputerName%'
              OR "Process CommandLine" ILIKE '%wsman://%'
              OR "Process CommandLine" ILIKE '%WSMan%')
      THEN 'WinRM_PSRemoting'
    WHEN "Process Name" ILIKE '%winrs.exe'
      THEN 'WinRM_DirectTool'
  END AS AlertType
FROM events
WHERE
  (LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
   OR LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%Security%Event%Log%')
  AND eventid = 1
  AND (
    (
      "Parent Process Name" ILIKE '%wsmprovhost.exe'
      AND "Process Name" NOT ILIKE '%conhost.exe'
      AND "Process Name" NOT ILIKE '%WerFault.exe'
      AND "Process Name" NOT ILIKE '%csc.exe'
    )
    OR (
      ("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe')
      AND (
        "Process CommandLine" ILIKE '%Invoke-Command%'
        OR "Process CommandLine" ILIKE '%Enter-PSSession%'
        OR "Process CommandLine" ILIKE '%New-PSSession%'
        OR "Process CommandLine" ILIKE '%-ComputerName%'
        OR "Process CommandLine" ILIKE '%wsman://%'
        OR "Process CommandLine" ILIKE '%WSMan%'
      )
    )
    OR "Process Name" ILIKE '%winrs.exe'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM — Windows Security Event Log DSM IBM QRadar SIEM — Sysmon DSM (custom or via Microsoft Defender for Endpoint log source) QRadar WinCollect or Syslog-NG agent forwarding Sysmon XML events

Required Tables

events (QRadar normalised event store)

False Positives

Automated configuration management tools (Ansible WinRM transport, Chef, Puppet) performing scheduled node management — these will generate sustained Invoke-Command activity from a small set of source hosts; scope detections with a whitelist of known management server IPs
Enterprise RMM platforms (ConnectWise Automate, Kaseya VSA) that use PowerShell remoting internally for agent health checks and script delivery on managed endpoints
Software packaging and CI/CD pipelines using winrs.exe or PowerShell New-PSSession to deploy builds to remote Windows test or staging hosts — correlate with change-window schedules to suppress

Sumo Logic CSE

sql

(_sourceCategory=windows/sysmon OR _sourceCategory=Windows/Sysmon/Operational)
| where EventCode = "1"
| parse regex field=ParentImage "(?i)(?<ParentFileName>[^\\]+)$" nodrop
| parse regex field=Image      "(?i)(?<FileName>[^\\]+)$"      nodrop
| where (
    (
      ParentFileName matches "(?i)wsmprovhost.exe"
      and FileName != "conhost.exe"
      and FileName != "WerFault.exe"
      and FileName != "csc.exe"
    )
    or
    (
      (FileName matches "(?i)powershell.exe" or FileName matches "(?i)pwsh.exe")
      and (
        CommandLine matches "(?i)Invoke-Command"
        or CommandLine matches "(?i)Enter-PSSession"
        or CommandLine matches "(?i)New-PSSession"
        or CommandLine matches "(?i)-ComputerName"
        or CommandLine matches "(?i)wsman://"
        or CommandLine matches "(?i)WSMan"
      )
    )
    or FileName matches "(?i)winrs.exe"
  )
| eval AlertType = if(ParentFileName matches "(?i)wsmprovhost.exe", "WinRM_RemoteExec",
                   if(FileName matches "(?i)(powershell|pwsh).exe", "WinRM_PSRemoting",
                   if(FileName matches "(?i)winrs.exe", "WinRM_DirectTool", "Unknown")))
| fields _messageTime, Computer, User, FileName, CommandLine, ParentFileName, AlertType
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Enterprise (CSE) Sysmon operational logs forwarded via Sumo Logic Installed Collector (Windows Event Log source) Sumo Logic OpenTelemetry Collector for Windows

Required Tables

windows/sysmon (source category) Windows/Sysmon/Operational (source category)

False Positives

Legitimate IT administrators using PowerShell Remoting interactively for remote system health checks or remediation — tunable by correlating with privileged account baselines and source-to-destination pair frequency
Enterprise RMM tools (ConnectWise, Kaseya, NinjaRMM) that leverage WinRM for remote script execution on managed endpoints — whitelist known RMM agent process hashes or parent processes
CI/CD build pipelines using New-PSSession to deploy artefacts or run integration tests on remote Windows hosts — expect periodic bursts aligned with deployment schedules

Google Chronicle / SecOps

yaral

rule winrm_lateral_movement_t1021_006 {
  meta:
    author          = "Detection Engineering"
    description     = "Detects WinRM lateral movement (T1021.006): wsmprovhost.exe spawning non-standard children, PowerShell WinRM remoting cmdlets, and direct winrs.exe usage"
    mitre_attack_tactic           = "Lateral Movement"
    mitre_attack_technique        = "T1021.006"
    mitre_attack_technique_name   = "Remote Services: Windows Remote Management"
    severity   = "HIGH"
    confidence = "HIGH"
    created    = "2024-01-01"
    platforms  = "Windows"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        // Pattern 1: wsmprovhost.exe spawning suspicious children — destination-side remote execution
        re.regex($e.principal.process.file.full_path, `(?i)wsmprovhost\.exe$`)
        and not re.regex($e.target.process.file.full_path, `(?i)(conhost|WerFault|csc)\.exe$`)
      )
      or
      (
        // Pattern 2: PowerShell using WinRM remoting cmdlets
        re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line,
          `(?i)(Invoke-Command|Enter-PSSession|New-PSSession|-ComputerName|wsman://|WSMan)`)
      )
      or
      // Pattern 3: Direct WinRS lateral movement tool
      re.regex($e.target.process.file.full_path, `(?i)winrs\.exe$`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM — Windows Endpoint telemetry via Chronicle Forwarder Microsoft Defender for Endpoint ingested into Chronicle via Chronicle MDE connector Sysmon events normalised to UDM via Chronicle Windows parser

Required Tables

UDM entity store — PROCESS_LAUNCH event type

False Positives

Legitimate PowerShell Remoting sessions from administrator accounts on jump hosts or Privileged Access Workstations (PAWs) — tune with a reference list of authorised management hosts in the principal.hostname field
Configuration management platforms (SaltStack winrm transport, Ansible, Chef) executing scripts remotely via WinRM as part of infrastructure automation — these generate high-frequency but predictable source-destination patterns
Security tooling such as vulnerability scanners or EDR management consoles that use WinRM to enumerate system configuration on managed Windows endpoints during scheduled assessment windows

CrowdStrike LogScale (CQL)

cql

#repo=base_sensor #event_simpleName=ProcessRollup2
| eval AlertType = if(
    match("(?i)wsmprovhost\\.exe", ParentBaseFileName)
    AND !match("(?i)(conhost|WerFault|csc)\\.exe", FileName),
    "WinRM_RemoteExec",
  if(
    match("(?i)(powershell|pwsh)\\.exe", FileName)
    AND match("(?i)(Invoke-Command|Enter-PSSession|New-PSSession|-ComputerName|wsman://|WSMan)", CommandLine),
    "WinRM_PSRemoting",
  if(
    match("(?i)winrs\\.exe", FileName),
    "WinRM_DirectTool",
    null()
  )))
| where isNotNull(AlertType)
| table(
    [ timestamp, ComputerName, UserName, FileName,
      CommandLine, ParentBaseFileName, AlertType ]
  )
| sort(timestamp, order=desc, limit=500)

high severity high confidence

Data Sources

CrowdStrike Falcon Platform — Falcon Insight EDR (ProcessRollup2 events) CrowdStrike LogScale (Humio) — base_sensor repository Falcon Data Replicator (FDR) feeding LogScale

Required Tables

base_sensor repository — ProcessRollup2 event type

False Positives

Legitimate remote administration via PowerShell Remoting from approved IT management hosts — tune by adding a NOT match() condition scoped to known management host ComputerName values or a reference list of privileged workstations
Endpoint management solutions (Tanium, BigFix, Ivanti) that leverage WinRM as a remote execution transport on managed Windows endpoints — these generate predictable parent-child process chains that can be whitelisted by ParentBaseFileName or ParentProcessId lineage
Automated DevOps pipelines using Ansible WinRM transport or PowerShell New-PSSession to provision or test remote Windows build agents — correlate with deployment schedules and CI/CD service account names to suppress during expected maintenance windows

Windows Remote Management

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Lateral Movement

Popular Detections