Rare WinRM Session

The
Rare WinRM Session
Analytics alert indicates that a process performed a rare Windows Remote Management (WinRM) session to a remote endpoint and port.

Synopsis

10 minutes
3 days
14 days
10 minutes
Cortex XDR agent endpoint data
Severity
Varies by activity (High, Medium, or Low).

Description

A process performed a rare Windows Remote Management (WinRM) session to a remote endpoint and port. For additional context, this alert identifies the full command used to start the process and the total number of endpoints on which the command was run in the last 14 days.

Attacker's Goals

Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.

Recommended For You