WinRS

WinRSjpcertcc.github.io

Standard Settings

• Source host

  • Execution history (Prefetch)

  • WinRM execution history (Microsoft-Windows-WinRM/Operational)

• Destination Host

  • Execution history (Prefetch)

  • WinRM execution history (Microsoft-Windows-WinRM/Operational)

Additional Settings

• Source host

  • Execution history (audit policy, Sysmon)

  • Communication via 5985/tcp (audit policy, Sysmon)

• Destination Host

  • Execution history (audit policy, Sysmon)

  • Communication via 5985/tcp (audit policy, Sysmon)

Evidence That Can Be Confirmed When Execution is Successful

• Source host/destination host: Event log "Application and Service\Microsoft\Windows\Windows Remote Management\Operational"