T1021.006 Splunk · SPL

Detect Windows Remote Management in Splunk

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). WinRM is a Windows service and protocol allowing remote execution of commands, registry modification, and service management. It can be invoked via the winrm command, PowerShell's Invoke-Command/Enter-PSSession, or tools like Evil-WinRM used by Storm-0501. Other users include Cobalt Strike (WinRM for Beacon delivery), Brute Ratel C4, Chimera, and FIN13. WinRM operates over HTTP (5985) and HTTPS (5986) and requires valid credentials plus network access. When disabled by default on client systems, adversaries may first enable it via registry modification or Group Policy.

MITRE ATT&CK

Tactic
Lateral Movement
Technique
T1021 Remote Services
Sub-technique
T1021.006 Windows Remote Management
Canonical reference
https://attack.mitre.org/techniques/T1021/006/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Microsoft-Windows-WinRM/Operational")
(
  (EventCode=1
   ParentImage="*\\wsmprovhost.exe"
   NOT Image IN ("*\\conhost.exe", "*\\WerFault.exe", "*\\csc.exe")
  | eval AlertType="WinRM_RemoteExec_Child"
  | table _time, host, User, Image, CommandLine, ParentImage, AlertType)
OR
  (EventCode=1
   (Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
   (CommandLine="*Invoke-Command*" OR CommandLine="*Enter-PSSession*" OR CommandLine="*New-PSSession*" OR CommandLine="*-ComputerName*" OR CommandLine="*wsman://*" OR CommandLine="*winrm*")
  | eval AlertType="WinRM_PSRemoting"
  | table _time, host, User, Image, CommandLine, ParentImage, AlertType)
OR
  (EventCode=1
   (Image="*\\winrs.exe" OR CommandLine="*winrm*")
  | eval AlertType="WinRM_DirectTool"
  | table _time, host, User, Image, CommandLine, AlertType)
OR
  (sourcetype="WinEventLog:Microsoft-Windows-WinRM/Operational"
   (EventCode=91 OR EventCode=168)
  | eval AlertType="WinRM_SessionCreated"
  | table _time, host, EventCode, AlertType)
)
| sort - _time
high severity high confidence

Detects WinRM activity using Sysmon Event ID 1 (three patterns: wsmprovhost.exe child process spawning, PowerShell WinRM usage, winrs.exe tool execution) and WinRM Operational log events (Event ID 91: session created, Event ID 168: authentication succeeded). The AlertType field classifies the detection category.

Data Sources

Process: Process CreationLogon Session: Logon Session CreationSysmon Event ID 1Windows WinRM Operational Event IDs 91, 168

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Microsoft-Windows-WinRM/Operational

False Positives & Tuning

  • IT administrators using PowerShell remoting for legitimate remote management
  • SCCM/Intune using WinRM for remote script execution
  • Monitoring agents collecting data via WinRM
  • Ansible using WinRM as its Windows transport layer
  • Automated patch management using PowerShell remoting
Download portable Sigma rule (.yml)

Other platforms for T1021.006

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Remote Command via WinRM (Invoke-Command)

    Expected signal: Sysmon Event ID 1: powershell.exe with Invoke-Command and ComputerName in command line. Sysmon Event ID 3: outbound TCP to 127.0.0.1:5985. On target: wsmprovhost.exe spawning child process (Get-Process execution). WinRM Operational Event ID 91.

  2. Test 2Enable WinRM on Remote Host via Registry

    Expected signal: Sysmon Event ID 1: powershell.exe with Enable-PSRemoting. Sysmon Event ID 13 (Registry Value Set): changes to WinRM configuration registry keys under HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRM. WinRM service start in System log.

  3. Test 3Execute Remote Command via winrs.exe

    Expected signal: Sysmon Event ID 1: winrs.exe process creation with -r: and remote IP. Sysmon Event ID 3: network connection to 127.0.0.1:5985. On target: wsmprovhost.exe spawning cmd.exe with 'whoami & hostname'.

  4. Test 4Interactive WinRM Session via Enter-PSSession

    Expected signal: Sysmon Event ID 1: powershell.exe with New-PSSession and ComputerName 127.0.0.1. Sysmon Event ID 3: TCP connection to 5985. WinRM Operational Events 6, 11, 15 (create, shell, command). ScriptBlock Log Event 4104 with Get-LocalUser.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1021.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1021Remote Services

Related Sub-techniques

T1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1021.003Distributed Component Object ModelT1021.004SSHT1021.005VNCT1021.007Cloud ServicesT1021.008Direct Cloud VM Connections

Related Techniques

T1021Remote ServicesT1059.001PowerShellT1047Windows Management InstrumentationT1021.002SMB/Windows Admin SharesT1543.003Windows ServiceT1053.005Scheduled TaskT1078Valid AccountsT1550.002Pass the Hash

Same Tactic: Lateral Movement

Popular Detections