Detect Windows Remote Management in IBM QRadar
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). WinRM is a Windows service and protocol allowing remote execution of commands, registry modification, and service management. It can be invoked via the winrm command, PowerShell's Invoke-Command/Enter-PSSession, or tools like Evil-WinRM used by Storm-0501. Other users include Cobalt Strike (WinRM for Beacon delivery), Brute Ratel C4, Chimera, and FIN13. WinRM operates over HTTP (5985) and HTTPS (5986) and requires valid credentials plus network access. When disabled by default on client systems, adversaries may first enable it via registry modification or Group Policy.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.006 Windows Remote Management
- Canonical reference
- https://attack.mitre.org/techniques/T1021/006/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceHost,
username AS Username,
"Process Name" AS ProcessName,
"Process CommandLine" AS CommandLine,
"Parent Process Name" AS ParentProcessName,
CASE
WHEN "Parent Process Name" ILIKE '%wsmprovhost.exe'
AND "Process Name" NOT ILIKE '%conhost.exe'
AND "Process Name" NOT ILIKE '%WerFault.exe'
AND "Process Name" NOT ILIKE '%csc.exe'
THEN 'WinRM_RemoteExec'
WHEN ("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe')
AND ("Process CommandLine" ILIKE '%Invoke-Command%'
OR "Process CommandLine" ILIKE '%Enter-PSSession%'
OR "Process CommandLine" ILIKE '%New-PSSession%'
OR "Process CommandLine" ILIKE '%-ComputerName%'
OR "Process CommandLine" ILIKE '%wsman://%'
OR "Process CommandLine" ILIKE '%WSMan%')
THEN 'WinRM_PSRemoting'
WHEN "Process Name" ILIKE '%winrs.exe'
THEN 'WinRM_DirectTool'
END AS AlertType
FROM events
WHERE
(LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
OR LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%Security%Event%Log%')
AND eventid = 1
AND (
(
"Parent Process Name" ILIKE '%wsmprovhost.exe'
AND "Process Name" NOT ILIKE '%conhost.exe'
AND "Process Name" NOT ILIKE '%WerFault.exe'
AND "Process Name" NOT ILIKE '%csc.exe'
)
OR (
("Process Name" ILIKE '%powershell.exe' OR "Process Name" ILIKE '%pwsh.exe')
AND (
"Process CommandLine" ILIKE '%Invoke-Command%'
OR "Process CommandLine" ILIKE '%Enter-PSSession%'
OR "Process CommandLine" ILIKE '%New-PSSession%'
OR "Process CommandLine" ILIKE '%-ComputerName%'
OR "Process CommandLine" ILIKE '%wsman://%'
OR "Process CommandLine" ILIKE '%WSMan%'
)
)
OR "Process Name" ILIKE '%winrs.exe'
)
ORDER BY starttime DESC
LAST 24 HOURSQRadar AQL query detecting WinRM lateral movement using Sysmon EventID 1 (Process Create) from Windows log sources. Uses custom DSM-parsed properties 'Process Name', 'Process CommandLine', and 'Parent Process Name' — field names must match your QRadar DSM extension for Sysmon. Classifies results by alert type using a CASE expression for triage prioritisation.
Data Sources
Required Tables
False Positives & Tuning
- Automated configuration management tools (Ansible WinRM transport, Chef, Puppet) performing scheduled node management — these will generate sustained Invoke-Command activity from a small set of source hosts; scope detections with a whitelist of known management server IPs
- Enterprise RMM platforms (ConnectWise Automate, Kaseya VSA) that use PowerShell remoting internally for agent health checks and script delivery on managed endpoints
- Software packaging and CI/CD pipelines using winrs.exe or PowerShell New-PSSession to deploy builds to remote Windows test or staging hosts — correlate with change-window schedules to suppress
Other platforms for T1021.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Remote Command via WinRM (Invoke-Command)
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-Command and ComputerName in command line. Sysmon Event ID 3: outbound TCP to 127.0.0.1:5985. On target: wsmprovhost.exe spawning child process (Get-Process execution). WinRM Operational Event ID 91.
- Test 2Enable WinRM on Remote Host via Registry
Expected signal: Sysmon Event ID 1: powershell.exe with Enable-PSRemoting. Sysmon Event ID 13 (Registry Value Set): changes to WinRM configuration registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM. WinRM service start in System log.
- Test 3Execute Remote Command via winrs.exe
Expected signal: Sysmon Event ID 1: winrs.exe process creation with -r: and remote IP. Sysmon Event ID 3: network connection to 127.0.0.1:5985. On target: wsmprovhost.exe spawning cmd.exe with 'whoami & hostname'.
- Test 4Interactive WinRM Session via Enter-PSSession
Expected signal: Sysmon Event ID 1: powershell.exe with New-PSSession and ComputerName 127.0.0.1. Sysmon Event ID 3: TCP connection to 5985. WinRM Operational Events 6, 11, 15 (create, shell, command). ScriptBlock Log Event 4104 with Get-LocalUser.
References (8)
- https://attack.mitre.org/techniques/T1021/006/
- https://learn.microsoft.com/en-us/windows/win32/winrm/portal
- https://learn.microsoft.com/en-us/powershell/module/microsoft.wsman.management/
- https://github.com/Hackplayers/evil-winrm
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md
- https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2021/january/chimera-apt-targeting-semiconductor-vendors/
- https://www.microsoft.com/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
- https://docs.microsoft.com/en-us/archive/blogs/jepayne/2014-02-03-lateral-movement-winrm
Unlock Pro Content
Get the full detection package for T1021.006 including response playbook, investigation guide, and atomic red team tests.