Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

Standard Settings
Additional Settings
Investigation

Windows

Forensics

Event Logs

LOLBins

WinRM

PreviousWinRS NextRDP

Last updated 11 months ago

Standard Settings

Source host
- Execution history (Prefetch)
- WinRM execution history (Microsoft-Windows-WinRM/Operational)
Destination Host
- Execution history (Prefetch)
- WinRM execution history (Microsoft-Windows-WinRM/Operational)

Additional Settings

Source host
- Execution history (audit policy, Sysmon)
- Communication via 5985/tcp (audit policy, Sysmon)
Destination Host
- Execution history (audit policy, Sysmon)
- Communication via 5985/tcp (audit policy, Sysmon)

Investigation

Will create a user profile when executed on a remote system.

Windows Remote Management (WinRM) | CQRCQR