Port 5985 (TCP) – WinRM (HTTP)

What runs on port 5985?

Port 5985 is WinRM (Windows Remote Management) over HTTP, Microsoft's implementation of the WS-Management protocol. It is the transport behind PowerShell Remoting (Enter-PSSession, Invoke-Command) and remote administration tooling, carrying SOAP messages that let administrators run commands and manage configuration on remote Windows hosts. It is enabled by default on Windows Server and is common throughout Active Directory environments.

Why it matters for security

WinRM grants remote command execution on a host, so it is a high-value target and a favored lateral-movement channel. Because it accepts NTLM and Kerberos authentication, an attacker holding valid credentials — or just an NTLM hash — can authenticate and run commands without ever knowing the plaintext password. That makes 5985 a natural next hop after credential theft, and the open-source Evil-WinRM tool makes the workflow trivial.

How it's attacked

After harvesting credentials or hashes, attackers use Evil-WinRM or native PowerShell Remoting to connect to 5985 and execute commands, moving from host to host across the domain. Pass-the-hash works directly over WinRM, and exposed endpoints face brute force / password spraying. Once connected, operators run reconnaissance, dump credentials, and deploy payloads remotely.

Hardening checklist

Prefer WinRM over HTTPS (5986) with valid certificates so the transport is encrypted end to end. Firewall 5985 to trusted admin and jump hosts only. Disable Basic authentication and require Kerberos/Negotiate. Limit membership of Remote Management Users, deploy Just Enough Administration (JEA) to constrain what remote sessions can do, and back privileged accounts with MFA and strong passwords. The nmap scripts above probe the HTTP endpoint and auth methods on systems you are authorized to test.