Potential Lateral Movement via Windows Remote Shell
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Sigma rule (View on GitHub)
1title: Potential Lateral Movement via Windows Remote Shell
2id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
3status: experimental
4description: |
5 Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
6references:
7 - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
8 - https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
9author: Liran Ravich
10date: 2025-10-22
11tags:
12 - attack.lateral-movement
13 - attack.t1021.006
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
20 ParentImage|endswith: '\winrshost.exe'
21 filter_main_conhost:
22 Image: 'C:\Windows\System32\conhost.exe'
23 condition: selection and not 1 of filter_main_*
24falsepositives:
25 - Legitimate use of WinRM within the organization
26level: medium
References
-
Explore WinRM remote management abuse and how attackers use winrs.exe to evade detection, similar to other LOLBAS tools.
Read More -
It's possible to use a native Windows binary winrs to connect to a remote endpoint via WinRM like so: winrs -r:ws01 "cmd /c hostname & notepad" Below shows how we connect from DC01 to WS01 and exec...
Read More
Related rules
- Winrs Local Command Execution
- Remote PowerShell Session Host Process (WinRM)
- Enable Windows Remote Management
- Execute Invoke-command on Remote Host
- HackTool - WinRM Access Via Evil-WinRM