This detection rule identifies instances of basic PowerShell Remoting, also known as Windows Remote Management (WinRM), by monitoring specific inbound network connections to the designated ports (5985 for HTTP and 5986 for HTTPS) associated with WinRM traffic. The rule leverages Event ID 5156, which is generated when a connection is allowed through the Windows filtering platform, to track any legitimate or suspicious actions related to PowerShell Remoting. The rule specifies a selection criteria based on the destination port and the event ID that are typical indicators of PowerShell being used for remote execution. Therefore, any detected connections to these ports can signify either legitimate administrative actions or potentially malicious attempts to exploit WinRM capabilities.