WinRS

Standard Settings

  • Source host

    • Execution history (Prefetch)

    • WinRM execution history (Microsoft-Windows-WinRM/Operational)

  • Destination Host

    • Execution history (Prefetch)

    • WinRM execution history (Microsoft-Windows-WinRM/Operational)

Additional Settings

  • Source host

    • Execution history (audit policy, Sysmon)

    • Communication via 5985/tcp (audit policy, Sysmon)

  • Destination Host

    • Execution history (audit policy, Sysmon)

    • Communication via 5985/tcp (audit policy, Sysmon)

Evidence That Can Be Confirmed When Execution is Successful

  • Source host/destination host: Event log "Application and Service\Microsoft\Windows\Windows Remote Management\Operational"

PreviousServicesNextWinRM

Last updated