Winrs Local Command Execution

calendar Oct 29, 2025 · attack.lateral-movement attack.defense-evasion attack.t1021.006 attack.t1218  ·
Share on: linkedin copy

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

Sigma rule (View on GitHub)

 1title: Winrs Local Command Execution
 2id: bcfece3d-56fe-4545-9931-3b8e92927db1
 3status: experimental
 4description: |
 5    Detects the execution of Winrs.exe where it is used to execute commands locally.
 6    Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.    
 7references:
 8    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
 9    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
10author: Liran Ravich, Nasreddine Bencherchali
11date: 2025-10-22
12tags:
13    - attack.lateral-movement
14    - attack.defense-evasion
15    - attack.t1021.006
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
23        - Image|endswith: '\winrs.exe'
24        - OriginalFileName: 'winrs.exe'
25    selection_local_ip:
26        CommandLine|contains|windash:
27            - '/r:localhost'
28            - '/r:127.0.0.1'
29            - '/r:[::1]'
30            - '/remote:localhost'
31            - '/remote:127.0.0.1'
32            - '/remote:[::1]'
33    filter_main_remote:
34        CommandLine|contains|windash:
35            - "/r:"
36            - "/remote:"
37    condition: all of selection_* or (selection_img and not 1 of filter_main_*)
38falsepositives:
39    - Unlikely
40level: high

References

Related rules

to-top