Certutil Execution via WinrsHost

Rule Info

Name
Certutil Execution via WinrsHost
Author
X__Junior
Description
Detects the execution of certutil from WinrsHost.exe, which may indicate the use of Windows Remote Shell (WinRS) for malicious purposes. This combination is often seen in lateral movement and defense evasion techniques, where attackers leverage remote execution to run malicious commands such as certificate manipulation or payload retrieval.
Reference
https://www.elastic.co/security-labs/fragile-web-ref7707
Date
2025-02-24 00:00:00
Modified
None
Id
2d3181ad-74e5-4b80-84e6-8c574fc3b52c
Tags
attack.defense-evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022