Rare WinRM Session

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Lateral Movement (TA0008)

ATT&CK Technique

Remote Services: Windows Remote Management (T1021.006)

Severity

Informational

Description

Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote system. WinRM sessions can be established using WinRM/WinRS commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.

Attacker's Goals

Windows Remote Management (WinRM) enables users to interact with remote systems in different ways, including running executables on the remote endpoint. WinRM sessions can be established using winrm/winrs commands or programs such as PowerShell. Attackers can use WinRM to execute code and move laterally within a compromised network.

Investigative actions

Investigate the endpoints participating in the session.