AN1313: Analytic 1313

Adversaries using WinRM to remotely execute commands, launch child processes, or access WMI. The detection chain includes service use, network activity, remote session logon, and process creation within a short temporal window.

EnterpriseAN1313AnalyticObject v1.0 Modified Nov 12, 2025, 22:03 UTC (UTC+00:00)

This analytic matters because WinRM is a legitimate Windows remote administration path that can also support remote command execution. For leaders, the practical issue is not simply whether WinRM exists, but whether the organization can distinguish authorized administration from suspicious remote execution by correlating service use, network activity, remote session logon, and child process creation in a short time window.

Executive priority

Prioritize this as a validation point for Windows remote administration governance and SOC readiness. Ask whether WinRM use is expected, restricted, monitored, and reviewable during incidents. The business value is stronger evidence for incident triage, audit defensibility around administrative access, and faster containment decisions when remote execution is suspected.

Technical view

ATT&CK describes AN1313 as a Windows detection analytic for adversaries using WinRM to remotely execute commands, launch child processes, or access WMI. SOC and detection teams should validate whether they can correlate WinRM-related service and network activity with remote session logons and process creation within a short temporal window. Because no official detection logic is supplied, local implementation must define the event sources, timing window, allowlists, and expected administrator behavior.

Likely telemetry

Windows service activity related to WinRM
Network connections associated with WinRM remote management
Remote session logon events on Windows hosts
Process creation events, especially child processes spawned during remote sessions
WMI access or execution evidence where collected

Detection direction

Validate correlation across service use, network activity, remote logon, and process creation rather than relying on any single event class.
Baseline approved WinRM administration patterns to reduce false positives from IT operations and management tooling.
Tune for short-window event chains that show remote session establishment followed by command or child process execution.
Check blind spots where process creation logging, remote logon visibility, or network telemetry is missing or not centrally collected.
Because no ATT&CK relationship context or detection pseudocode is supplied, map this analytic to local Windows logging and SIEM fields before treating it as coverage evidence.

Mitigation priorities

Define and document where WinRM is authorized for administration.
Restrict remote administration access to approved accounts, hosts, and management paths where feasible.
Ensure Windows endpoints produce the telemetry needed for remote logon, service, network, WMI, and process correlation.
Review privileged access and administrative tool usage so detections can separate routine operations from unusual activity.
Use incident response playbooks to investigate correlated WinRM remote execution events quickly and consistently.

Analyst notes and limits

This take is based on the supplied ATT&CK analytic description for AN1313 only. The key decision value is validating whether defenders can correlate multiple Windows telemetry classes around WinRM remote execution behavior and whether normal administrative use is well understood.

The object provides no official detection logic, no tactics, no relationships, and no external context beyond the MITRE reference. Local logging configuration, administrative baselines, and SIEM data quality are required to determine actual detection coverage.

Official MITRE ATT&CK definition

Analytic 1313

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Nov 12, 2025, 22:03 UTC (UTC+00:00)
Raw hash: bcbe84c3b743dfb5...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 12, 2025, 22:03 UTC (UTC+00:00)	Current bundle	`bcbe84c3b743…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN1313
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use