What are the detection methods for identifying WinRM service running on non-standard ports like 80 or 443?

Detection involves checking for anomalies in IIS logs and network traffic. Since the WinRM service uses HTTP.sys, requests to port 80 that are not handled by IIS will still generate entries in the HTTP.sys log. Administrators can monitor for unusual URL patterns (e.g., `/wsman` paths) or sudden increases in HTTP traffic on normally passive endpoints. Additionally, reviewing URL ACLs with `netsh http show urlacl` may reveal unauthorized reservations. For more on detection and related techniques, see Testing and Analysis of Bypassing AppLocker Using LUA Scripts.