DET0477 Behavioral Detection of WinRM-Based Remote Access

Item	Value
ID	DET0477
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1021.006 (Windows Remote Management)

Analytics

Windows

AN1313

Adversaries using WinRM to remotely execute commands, launch child processes, or access WMI. The detection chain includes service use, network activity, remote session logon, and process creation within a short temporal window.

Log Sources

Data Component	Name	Channel
Logon Session Creation (DC0067)	WinEventLog:Security	EventCode=4624, 4648
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Service Metadata (DC0041)	WinEventLog:WinRM	EventCode=6
Network Traffic Flow (DC0078)	NSM:Connections	Inbound on ports 5985/5986

Mutable Elements

Field	Description
TimeWindow	Defines max time between remote shell creation and child process execution (e.g., 60 seconds)
UserContext	Scope to unexpected remote user logons (non-admins, service accounts)
CommandLineAnomalyScore	Score for suspicious command usage via WinRM (e.g., encoded PowerShell)
KnownAdminHosts	List of trusted systems allowed to use WinRM legitimately