A process performed a rare
Windows Remote Management (WinRM) session to a remote endpoint and
port. For additional context, this alert identifies the full command
used to start the process and the total number of endpoints on which
the command was run in the last 14 days.
Windows Remote Management
(WinRM) enables users to interact with remote systems in different
ways, including running executables on the remote endpoint. WinRM
sessions can be established using winrm/winrs commands or programs
such as PowerShell. Attackers can use WinRM to execute code and
move laterally within a compromised network.