Internet-Security.com TCP port 5986 details

TCP 5986 is the default port for Microsoft Windows Remote Management (WinRM) over HTTPS (WS-Management) on Windows Server and Windows client systems.
PowerShell Remoting (Enter-PSSession, Invoke-Command, New-PSSession) uses WinRM HTTPS on 5986 when enabled.
Automation/configuration tools manage Windows over this port, including Ansible (via pywinrm) and Chef (knife winrm/Chef Infra).
Azure DevOps tasks such as “PowerShell on Target Machines” and “Windows Machine File Copy” use WinRM over 5986 to execute scripts and transfer files to Windows hosts.
VMware vRealize Orchestrator/Automation can run guest operations on Windows VMs via WinRM on 5986.
Microsoft Desired State Configuration (DSC) push operations commonly target Windows nodes using WinRM HTTPS on 5986.
Monitoring products like SolarWinds Server & Application Monitor and ManageEngine OpManager can collect Windows metrics via WinRM over 5986.
Security: attackers frequently abuse WinRM on 5985/5986 for lateral movement and remote command execution with stolen credentials, using tools such as Evil-WinRM and frameworks like Cobalt Strike.

TCP 5986