Internet-Security.com TCP port 5985 details

TCP 5985 is the default port for Microsoft Windows Remote Management (WinRM) over HTTP, which implements the WS-Management protocol.
PowerShell Remoting uses 5985 by default (5986 for HTTPS) to run remote sessions and commands on Windows Servers and client PCs.
Microsoft Exchange Server remote administration (Exchange Management Shell) connects via WinRM on 5985/5986 for on‑premises management tasks.
Windows Admin Center manages target Windows servers using WinRM/PowerShell over 5985 as part of its backend connections.
Automation/orchestration tools use 5985 to manage Windows: Ansible (pywinrm), Chef (knife winrm), Puppet Bolt, Salt SSH (winrm), and HashiCorp Packer and Vagrant’s WinRM communicators.
WS-Management on non-Windows hosts can also bind to 5985; examples include OpenWSMAN and Microsoft Open Management Infrastructure (OMI) on Linux (used in some Azure VM extensions).
Security: Attackers and pentesters commonly abuse WinRM on 5985 for lateral movement (e.g., with Evil-WinRM, CrackMapExec, Metasploit), and the 2021 “OMIGOD” vulnerabilities (e.g., CVE-2021-38647) enabled unauthenticated RCE against exposed OMI services on 5985/5986.

TCP 5985