Networking
- Networking
Windows
Linux
Enterprise Architecture
Mac
- Forensics
  - Page 3
Attacker Information
IR Playbook
- Activity from Unmanaged Host
- Recommendations
Reverse Engineering
- Python - Pyinstaller

Powered by GitBook

On this page

Standard Settings
Additional Settings
Evidence That Can Be Confirmed When Execution is Successful

WinRS

PreviousServices NextWinRM

Last updated 11 months ago

Standard Settings

Source host
- Execution history (Prefetch)
- WinRM execution history (Microsoft-Windows-WinRM/Operational)
Destination Host
- Execution history (Prefetch)
- WinRM execution history (Microsoft-Windows-WinRM/Operational)

Additional Settings

Source host
- Execution history (audit policy, Sysmon)
- Communication via 5985/tcp (audit policy, Sysmon)
Destination Host
- Execution history (audit policy, Sysmon)
- Communication via 5985/tcp (audit policy, Sysmon)

Evidence That Can Be Confirmed When Execution is Successful

Source host/destination host: Event log "Application and Service\Microsoft\Windows\Windows Remote Management\Operational"