Potential Lateral Movement via Windows Remote Shell

Rule Info

Name
Potential Lateral Movement via Windows Remote Shell
Author
Liran Ravich
Description
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Reference
https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
Date
2025-10-22 00:00:00
Modified
None
Id
79df3f68-dccb-48e9-9171-b75cbc37c51d
Tags
attack.lateral-movement attack.t1021.006
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=79df3f68-dccb-48e9-9171-b75cbc37c51d

Rule History

Author
Title
Date
Commit
Liran Ravich
Merge PR #5604 from @Liran017 - Add new winrs related rules
2025-10-29
bd21aec1e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022