Detect Windows Remote Management in Google Chronicle
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). WinRM is a Windows service and protocol allowing remote execution of commands, registry modification, and service management. It can be invoked via the winrm command, PowerShell's Invoke-Command/Enter-PSSession, or tools like Evil-WinRM used by Storm-0501. Other users include Cobalt Strike (WinRM for Beacon delivery), Brute Ratel C4, Chimera, and FIN13. WinRM operates over HTTP (5985) and HTTPS (5986) and requires valid credentials plus network access. When disabled by default on client systems, adversaries may first enable it via registry modification or Group Policy.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.006 Windows Remote Management
- Canonical reference
- https://attack.mitre.org/techniques/T1021/006/
YARA-L Detection Query
rule winrm_lateral_movement_t1021_006 {
meta:
author = "Detection Engineering"
description = "Detects WinRM lateral movement (T1021.006): wsmprovhost.exe spawning non-standard children, PowerShell WinRM remoting cmdlets, and direct winrs.exe usage"
mitre_attack_tactic = "Lateral Movement"
mitre_attack_technique = "T1021.006"
mitre_attack_technique_name = "Remote Services: Windows Remote Management"
severity = "HIGH"
confidence = "HIGH"
created = "2024-01-01"
platforms = "Windows"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
// Pattern 1: wsmprovhost.exe spawning suspicious children — destination-side remote execution
re.regex($e.principal.process.file.full_path, `(?i)wsmprovhost\.exe$`)
and not re.regex($e.target.process.file.full_path, `(?i)(conhost|WerFault|csc)\.exe$`)
)
or
(
// Pattern 2: PowerShell using WinRM remoting cmdlets
re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
and re.regex($e.target.process.command_line,
`(?i)(Invoke-Command|Enter-PSSession|New-PSSession|-ComputerName|wsman://|WSMan)`)
)
or
// Pattern 3: Direct WinRS lateral movement tool
re.regex($e.target.process.file.full_path, `(?i)winrs\.exe$`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting WinRM lateral movement using UDM PROCESS_LAUNCH events. Uses principal.process (parent) and target.process (child) UDM fields with re.regex() for case-insensitive matching. Covers all three detection patterns from the original KQL/SPL: wsmprovhost.exe child spawning, PowerShell remoting, and direct winrs.exe execution.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PowerShell Remoting sessions from administrator accounts on jump hosts or Privileged Access Workstations (PAWs) — tune with a reference list of authorised management hosts in the principal.hostname field
- Configuration management platforms (SaltStack winrm transport, Ansible, Chef) executing scripts remotely via WinRM as part of infrastructure automation — these generate high-frequency but predictable source-destination patterns
- Security tooling such as vulnerability scanners or EDR management consoles that use WinRM to enumerate system configuration on managed Windows endpoints during scheduled assessment windows
Other platforms for T1021.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Remote Command via WinRM (Invoke-Command)
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-Command and ComputerName in command line. Sysmon Event ID 3: outbound TCP to 127.0.0.1:5985. On target: wsmprovhost.exe spawning child process (Get-Process execution). WinRM Operational Event ID 91.
- Test 2Enable WinRM on Remote Host via Registry
Expected signal: Sysmon Event ID 1: powershell.exe with Enable-PSRemoting. Sysmon Event ID 13 (Registry Value Set): changes to WinRM configuration registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM. WinRM service start in System log.
- Test 3Execute Remote Command via winrs.exe
Expected signal: Sysmon Event ID 1: winrs.exe process creation with -r: and remote IP. Sysmon Event ID 3: network connection to 127.0.0.1:5985. On target: wsmprovhost.exe spawning cmd.exe with 'whoami & hostname'.
- Test 4Interactive WinRM Session via Enter-PSSession
Expected signal: Sysmon Event ID 1: powershell.exe with New-PSSession and ComputerName 127.0.0.1. Sysmon Event ID 3: TCP connection to 5985. WinRM Operational Events 6, 11, 15 (create, shell, command). ScriptBlock Log Event 4104 with Get-LocalUser.
References (8)
- https://attack.mitre.org/techniques/T1021/006/
- https://learn.microsoft.com/en-us/windows/win32/winrm/portal
- https://learn.microsoft.com/en-us/powershell/module/microsoft.wsman.management/
- https://github.com/Hackplayers/evil-winrm
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md
- https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2021/january/chimera-apt-targeting-semiconductor-vendors/
- https://www.microsoft.com/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
- https://docs.microsoft.com/en-us/archive/blogs/jepayne/2014-02-03-lateral-movement-winrm
Unlock Pro Content
Get the full detection package for T1021.006 including response playbook, investigation guide, and atomic red team tests.