Channels:
Microsoft-Windows-Windows Remote Management/Operational.
Event: 91.
Windows PowerShell.
Events: 400, 403, 600.
With the HostName field set to "ServerRemoteHost".
Microsoft-Windows-Windows Remote Management/Operational.
Event: 91.
Windows PowerShell.
Events: 400, 403, 600.
With the HostName field set to "ServerRemoteHost".
Overview
| Channel | Conditions | Events |
|---|---|---|
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (starting with PowerShell 2.0). | Event 91: Creating WSMan shell on server with ResourceUri: <X>. Indicates that a remote WinRM session was opened. Information of interest: - Domain and username of the user that opened the session. - Does NOT include the source host. |
Windows PowerShell |
Default configuration (starting with PowerShell 2.0). | Event 400: Engine state is changed from None to Available. Logged at the start of any local or remote PowerShell activity, with the Hostname field set to ServerRemoteHost for WinRM session. The RunaspaceId identify the PowerShell activity and can be linked to the session termination (EID 403). This event provides no information on the source host or on the user that performed the access. |
Windows PowerShell |
Default configuration (starting with PowerShell 2.0). | Event 403: Engine state is changed from Available to Stopped. Logged at the end of any local or remote PowerShell activity, with the Hostname field set to ServerRemoteHost for WinRM session. The event contains the same level of information as the EID 400 event. |
Windows PowerShell |
Default configuration (starting with PowerShell 2.0). | Event 600: Provider "<PROVIDER_NAME>" is Started. Logs the start and stop of a PowerShell provider, with the HostName field set to ServerRemoteHost for WinRM session. Additionally, the provider WSMan (“Provider WSMan Is Started”) is loaded in case of a WinRM session. |
More information on the PowerShell code executed can be available if
Module Logging and / or Script Block Logging are enabled. For more
information, refer to the PowerShell activity page.
References
View on GitHub