DFIR

WinRM

Standard Settings

Source host
- Execution history (Prefetch)
- WinRM execution history (Microsoft-Windows-WinRM/Operational)
Destination Host
- Execution history (Prefetch)
- WinRM execution history (Microsoft-Windows-WinRM/Operational)

Additional Settings

Source host
- Execution history (audit policy, Sysmon)
- Communication via 5985/tcp (audit policy, Sysmon)
Destination Host
- Execution history (audit policy, Sysmon)
- Communication via 5985/tcp (audit policy, Sysmon)

Investigation

Will create a user profile when executed on a remote system.

PreviousWinRS NextRDP

Last updated 5 months ago