When a Windows Remote Management connection is opened, the client sends HTTP requests to port 5985 for HTTP or 5986 for HTTPS on the target host. Each HTTP(S) request to the URI “/wsman” is called, and other information is set in the headers. Depending on the operation, the HTTP method may vary (i.e., GET, POST, etc.). This analytic would detect Remote PowerShell, as well as other communications that rely on WinRM. Additionally, it outputs the executable on the client host, the connection information, and the hostname of the target host.
|Technique||Subtechnique(s)||Tactic(s)||Level of Coverage|
|Remote Services||Windows Remote Management||Lateral Movement||Moderate|
Data Model References
Look for network connections to port 5985 and 5986. To really decipher what is going on, these outputs should be fed into something that can do packet analysis.
flow = search Flow:Start winrm = filter flow where (dest_port == 5985) winrm_s = filter flow where (dest_port == 5986) output winrm, winrm_s