detection.wiki

Microsoft-Windows-WinRM › Event 47

Event ID 47 — The WinRM protocol session began an operation of type operationType to the server.

Provider
Microsoft-Windows-WinRM
Channel
Operational
Level
Informational
Task
WinRMMIOperation
Opcode
Start

Description

The WinRM protocol session began an operation of type operationType to the server. The operation accesses class className under the namespaceName namespace.

Message #

The WinRM protocol session began an operation of type %1 to the server. The operation accesses class %3 under the %2 namespace.

Fields #

NameDescription
operationType UnicodeString
namespaceName UnicodeString
className UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-WinRM",
    "guid": "A7975C8F-AC13-49F1-87DA-5A984A4AB417",
    "event_source_name": "",
    "event_id": 47,
    "version": 0,
    "level": 4,
    "task": 16,
    "opcode": 1,
    "keywords": 4611686018427387906,
    "time_created": "2022-04-07T17:38:36.268345+00:00",
    "event_record_id": 278,
    "correlation": {
      "ActivityID": "E0AAB88C-4A9F-0001-B210-ABE09F4AD801"
    },
    "execution": {
      "process_id": 4444,
      "thread_id": 4432
    },
    "channel": "Microsoft-Windows-WinRM/Operational",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "operationType": "GetClass",
    "namespaceName": "root/microsoft/windows/smb",
    "className": "MSFT_SmbServerConfiguration"
  },
  "message": ""
}

References #