Channel:
Microsoft-Windows-Windows Remote Management/Operational.
Events: 2, 4, 6, 8, 12, 15, 16, 30, 31, 33, 80, 162, 166.
Microsoft-Windows-Windows Remote Management/Operational.
Events: 2, 4, 6, 8, 12, 15, 16, 30, 31, 33, 80, 162, 166.
Overview
| Channel | Conditions | Events |
|---|---|---|
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (starting with PowerShell 2.0). | Event 6: Creating WSMan Session. The connection string is: <IP_ADDRESS | HOSTNAME>/wsman?PSVersion=XXX. Logged whenever an attempt, successful or not, was made to open a WinRM session. This event does NOT necessarily indicates that a WinRM session was opened on the remote host. Information of interest: - Domain and username of the currently logged-in user on the source host (not necessarily the credentials that were used to attempt to open the WinRM session on the remote host). - The remote host IP address or hostname. |
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (starting with PowerShell 2.0). | Multiple events are generated during the life-cycle of a WinRM session: Event 2: Initializing WSMan API. Event 4: Deinitializing WSMan API. Event 8: Closing WSMan Session. Event 15: Closing WSMan command. Event 16: Closing WSMan shell. Event 30: Deinitialization of WSMan API completed successfuly. Event 31: WSMan Create Session operation completed successfuly. Event 33: Closing WSMan Session completed successfully. These events do not provide information on the session, the remote host, or the remote user. Only the domain and username of the currently logged-in user on the source host are specified. |
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (starting with PowerShell 2.0). | Event 162: Authenticating the user failed. The credentials didn't work. Indicates that an attempt to open a WinRM session failed because the provided credentials were invalid. Information of interest: - Domain and username of the currently logged-in user on the source host. - The event usually occurs in very close proximity (i.e. same second) to an event 6, allowing correlation and deduction of the remote host. |
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (starting with PowerShell 2.0). | Event 12: WSMan shell creation failed, error code 2150858980. Indicates that an attempt to open a WinRM session failed because the authentication schema is not Kerberos, the transport protocol is not HTTPS, or the remote host is not added in the TrustedHosts registry key on the source host. This error usually occurs when authentication is conducted in NTLM (whenever the remote host IP address is specified instead of an hostname) or for nested / double hop remote access. Information of interest: - Domain and username of the currently logged-in user on the source host. - The event usually occurs in very close proximity (i.e. same second) to an event 6, allowing correlation and deduction of the remote host. |
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (PowerShell 2.0 only). | Event 166: The chosen authentication mechanism is <AUTHENTICATION_SCHEMA>. Indicates the authentication schema, such as Negotiate, used to authenticate the WinRM session. Information of interest: - Domain and username of the currently logged-in user on the source host. - The event usually occurs in very close proximity (i.e. same second) to an event 6, allowing correlation and deduction of the remote host. |
Channel: Microsoft-Windows-Windows Remote Management/Operational EVTX file: Microsoft-Windows-WinRM\Operational.evtx |
Default configuration (PowerShell 2.0 only). | Event 80: Sending the request for operation DeleteShell to destination machine and port <IP_ADDRESS | HOSTNAME>:<5985 | 5986>. Information of interest: - Domain and username of the currently logged-in user on the source host. |
More information on the PowerShell code executed can be available if
Module Logging and / or Script Block Logging are enabled. For more
information, refer to the PowerShell activity page.
View on GitHub