Skip to content
PortsDB

Port reference

Port 5986 (TCP) – WinRM over HTTPS

TLS-encrypted Windows Remote Management (WS-Management) endpoint, the secure counterpart of plaintext WinRM on 5985.

tcpRegisteredCommonly attacked

Default state

Not listening unless WinRM is configured for HTTPS. When enabled it requires valid Windows credentials; the channel is encrypted, unlike 5985 over HTTP.

Common attacks

  • Credential-based lateral movement via Evil-WinRM and similar tools
  • Password spraying and brute-force of Windows accounts
  • Pass-the-hash / NTLM relay to obtain a remote PowerShell session
  • Abuse of over-privileged service accounts for remote command execution

Hardening

  • Prefer 5986 (HTTPS) over 5985 (HTTP) and disable plaintext WinRM
  • Restrict WinRM to management networks/jump hosts via firewall
  • Require strong, unique credentials and enforce MFA where possible
  • Limit Remote Management privileges; avoid broad local-admin reuse
  • Use valid TLS certificates and monitor for anomalous WinRM logons

nmap snippet

nmap -p5986 --script ssl-cert <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5986?

Port 5986 is WinRM over HTTPS — the TLS-encrypted form of Windows Remote Management (WS-Management). It lets administrators run PowerShell and management commands remotely. It is the secure counterpart of plaintext WinRM on 5985: same service, but the session is protected by TLS instead of riding over clear HTTP.

Why it matters for security

WinRM hands out a remote PowerShell session, which is exactly what an attacker wants for lateral movement. The TLS on 5986 protects the channel, but it does nothing to stop an adversary who already has valid credentials. Over-privileged service accounts and reused local-admin passwords turn one stolen credential into fleet-wide access.

How it's attacked

After harvesting credentials, attackers use Evil-WinRM and similar tools to open an interactive shell on 5986. They spray and brute-force Windows accounts, and leverage pass-the-hash or NTLM relay to authenticate without the plaintext password. From there they execute commands and pivot across the domain.

Hardening checklist

Prefer 5986 (HTTPS) over 5985 (HTTP) and disable plaintext WinRM. Restrict WinRM to management networks and jump hosts via firewall, require strong, unique credentials, and enforce MFA where possible. Limit Remote Management privileges and avoid broad local-admin reuse. Use valid TLS certificates and monitor for anomalous WinRM logons. Use the nmap snippet above to check exposure on hosts you are authorized to test.

Related ports

Port 5985Port 3389Port 445Port 88

Frequently asked questions

What's the difference between port 5985 and 5986?
Both serve WinRM (WS-Management). 5985 carries it over plain HTTP; 5986 wraps it in HTTPS/TLS. Always prefer 5986 so credentials and session data are encrypted in transit.
Why do attackers target WinRM on 5986?
WinRM grants a remote PowerShell session, ideal for lateral movement. With stolen or sprayed credentials, tools like Evil-WinRM give a full interactive shell on the host — even though the 5986 channel itself is encrypted.