Detect Windows Remote Management in Microsoft Sentinel
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). WinRM is a Windows service and protocol allowing remote execution of commands, registry modification, and service management. It can be invoked via the winrm command, PowerShell's Invoke-Command/Enter-PSSession, or tools like Evil-WinRM used by Storm-0501. Other users include Cobalt Strike (WinRM for Beacon delivery), Brute Ratel C4, Chimera, and FIN13. WinRM operates over HTTP (5985) and HTTPS (5986) and requires valid credentials plus network access. When disabled by default on client systems, adversaries may first enable it via registry modification or Group Policy.
MITRE ATT&CK
- Tactic
- Lateral Movement
- Technique
- T1021 Remote Services
- Sub-technique
- T1021.006 Windows Remote Management
- Canonical reference
- https://attack.mitre.org/techniques/T1021/006/
KQL Detection Query
// Detect WinRM lateral movement — remote command execution and suspicious WinRM usage
DeviceProcessEvents
| where Timestamp > ago(24h)
// Pattern 1: wsmprovhost.exe spawning suspicious children on destination (remote execution)
| where InitiatingProcessFileName =~ "wsmprovhost.exe"
| where FileName !in~ ("conhost.exe", "WerFault.exe") // Exclude normal WinRM child processes
| extend Pattern = "WinRM_RemoteExec"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, Pattern
| union (
// Pattern 2: PowerShell WinRM usage (Invoke-Command, Enter-PSSession, New-PSSession)
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any (
"Invoke-Command", "Enter-PSSession", "New-PSSession",
"winrm", "PSSession", "-ComputerName", "WSMan"
)
| where ProcessCommandLine has_any ("-ComputerName", "-Session", "wsman://")
| extend Pattern = "WinRM_PSRemoting"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, Pattern
)
| union (
// Pattern 3: winrm.cmd or winrs.exe execution
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("winrs.exe", "winrm.cmd")
| extend Pattern = "WinRM_DirectTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, Pattern
)
| sort by Timestamp descDetects WinRM lateral movement via three high-signal patterns: wsmprovhost.exe (WinRM provider host) spawning suspicious child processes on destination hosts (indicating remote command execution), PowerShell commands using WinRM primitives (Invoke-Command, Enter-PSSession, New-PSSession), and direct winrs.exe or winrm.cmd tool execution. Uses DeviceProcessEvents from MDE.
Data Sources
Required Tables
False Positives & Tuning
- IT administrators using PowerShell remoting (Enter-PSSession, Invoke-Command) for legitimate remote system management
- SCCM/Intune and other configuration management platforms that use WinRM for remote script execution
- Monitoring agents (SCOM, Datadog, SolarWinds) that collect data via WinRM
- Ansible on Windows using WinRM as its transport layer for configuration management playbooks
- Automated patch management and software deployment processes that leverage PowerShell remoting
Other platforms for T1021.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Remote Command via WinRM (Invoke-Command)
Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-Command and ComputerName in command line. Sysmon Event ID 3: outbound TCP to 127.0.0.1:5985. On target: wsmprovhost.exe spawning child process (Get-Process execution). WinRM Operational Event ID 91.
- Test 2Enable WinRM on Remote Host via Registry
Expected signal: Sysmon Event ID 1: powershell.exe with Enable-PSRemoting. Sysmon Event ID 13 (Registry Value Set): changes to WinRM configuration registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM. WinRM service start in System log.
- Test 3Execute Remote Command via winrs.exe
Expected signal: Sysmon Event ID 1: winrs.exe process creation with -r: and remote IP. Sysmon Event ID 3: network connection to 127.0.0.1:5985. On target: wsmprovhost.exe spawning cmd.exe with 'whoami & hostname'.
- Test 4Interactive WinRM Session via Enter-PSSession
Expected signal: Sysmon Event ID 1: powershell.exe with New-PSSession and ComputerName 127.0.0.1. Sysmon Event ID 3: TCP connection to 5985. WinRM Operational Events 6, 11, 15 (create, shell, command). ScriptBlock Log Event 4104 with Get-LocalUser.
References (8)
- https://attack.mitre.org/techniques/T1021/006/
- https://learn.microsoft.com/en-us/windows/win32/winrm/portal
- https://learn.microsoft.com/en-us/powershell/module/microsoft.wsman.management/
- https://github.com/Hackplayers/evil-winrm
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md
- https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2021/january/chimera-apt-targeting-semiconductor-vendors/
- https://www.microsoft.com/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
- https://docs.microsoft.com/en-us/archive/blogs/jepayne/2014-02-03-lateral-movement-winrm
Unlock Pro Content
Get the full detection package for T1021.006 including response playbook, investigation guide, and atomic red team tests.