KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Unkown Process Launched Via Win RM

Query

# *Detect Unknown process launched via WinRM*

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1021.006 | Remote Services: Windows Remote Management | https://attack.mitre.org/techniques/T1021/006/ |

#### Description
When an unknown process is being launched from the WinRM service on a server, this might indicate a malicious actor spreading malware on various servers via the WinRM protocol.

#### Risk
This detection tries to detect malware being dropped over the WinRM protocol.

#### Author <Optional>
- **Name:** Robbe Van den Daele
- **Github:** https://github.com/RobbeVandenDaele
- **Twitter:** https://x.com/RobbeVdDaele
- **LinkedIn:** https://www.linkedin.com/in/robbe-van-den-daele-677986190/
- **Website:** https://hybridbrothers.com/

#### References
- https://thecollective.eu/

## Defender XDR
```KQL
DeviceProcessEvents
| where InitiatingProcessFileName contains "wsmprovhost.exe"
| invoke FileProfile(SHA1)
| where GlobalPrevalence < 1000
| join kind=leftouter (
    DeviceNetworkEvents
    | where ActionType == "InboundConnectionAccepted"
    | where LocalPort in ("5985", "5986")
    | distinct RemoteIP, DeviceId
) on DeviceId
| project-away DeviceId1
```

Explanation

This query is designed to detect potentially malicious activity on a network by identifying unknown processes launched via Windows Remote Management (WinRM). Here's a simplified breakdown of what the query does:

  1. Data Source: The query analyzes data from DeviceProcessEvents, which logs process-related activities on devices.

  2. Filter for WinRM Processes: It specifically looks for processes initiated by wsmprovhost.exe, which is associated with WinRM.

  3. Check Process Prevalence: It uses a function FileProfile(SHA1) to check the global prevalence of these processes. If a process has been seen less than 1000 times globally, it is considered uncommon or unknown, which could indicate a potential threat.

  4. Network Connection Check: The query then looks at DeviceNetworkEvents to find any inbound network connections on ports 5985 or 5986, which are standard ports for WinRM. It filters for events where a connection was accepted.

  5. Join Data: It joins the process data with the network event data based on the device ID to correlate processes with network activity.

  6. Output: Finally, it removes duplicate device IDs from the results to clean up the output.

In essence, this query aims to identify unusual processes that are initiated through WinRM, which could be indicative of malware spreading across servers using this protocol.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceProcessEventsDeviceNetworkEvents

Keywords

DeviceProcessEventsFileProfileDeviceNetworkEvents

Operators

containsinvokewherejoinkind=leftouterindistinctonproject-away

Actions