Query Details

Detect Unknown process launched via WinRM

Detect Unkown Process Launched Via Win RM

Query

DeviceProcessEvents
| where InitiatingProcessFileName contains "wsmprovhost.exe"
| invoke FileProfile(SHA1)
| where GlobalPrevalence < 1000
| join kind=leftouter (
    DeviceNetworkEvents
    | where ActionType == "InboundConnectionAccepted"
    | where LocalPort in ("5985", "5986")
    | distinct RemoteIP, DeviceId
) on DeviceId
| project-away DeviceId1

About this query

Detect Unknown process launched via WinRM

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1021.006Remote Services: Windows Remote Managementhttps://attack.mitre.org/techniques/T1021/006/

Description

When an unknown process is being launched from the WinRM service on a server, this might indicate a malicious actor spreading malware on various servers via the WinRM protocol.

Risk

This detection tries to detect malware being dropped over the WinRM protocol.

Author <Optional>

References

Defender XDR

Explanation

This query is designed to detect potentially malicious activity on a network by identifying unknown processes launched via Windows Remote Management (WinRM). Here's a simplified breakdown of what the query does:

  1. Data Source: The query analyzes data from DeviceProcessEvents, which logs process-related activities on devices.

  2. Filter for WinRM Processes: It specifically looks for processes initiated by wsmprovhost.exe, which is associated with WinRM.

  3. Check Process Prevalence: It uses a function FileProfile(SHA1) to check the global prevalence of these processes. If a process has been seen less than 1000 times globally, it is considered uncommon or unknown, which could indicate a potential threat.

  4. Network Connection Check: The query then looks at DeviceNetworkEvents to find any inbound network connections on ports 5985 or 5986, which are standard ports for WinRM. It filters for events where a connection was accepted.

  5. Join Data: It joins the process data with the network event data based on the device ID to correlate processes with network activity.

  6. Output: Finally, it removes duplicate device IDs from the results to clean up the output.

In essence, this query aims to identify unusual processes that are initiated through WinRM, which could be indicative of malware spreading across servers using this protocol.

Details

Robbe Van den Daele profile picture

Robbe Van den Daele

Released: January 12, 2026

Tables

DeviceProcessEventsDeviceNetworkEvents

Keywords

DeviceProcessEventsFileProfileNetwork

Operators

containsinvokewherejoinkind=leftouterindistinctonproject-away

MITRE Techniques

Actions

GitHub