Potential Lateral Movement Via Windows Remote Management (WinRM) - Suspicious Process Tree

Rule Info

Name
Potential Lateral Movement Via Windows Remote Management (WinRM) - Suspicious Process Tree
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects suspicious process tree of "winrshost.exe". This indicate remote execution via Windows Remote Management (WinRM) and could be a sign of potential lateral movement activity.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
Date
2024-05-03 00:00:00
Modified
None
Id
dd71e47a-6b6a-48a1-826a-62ae33cc106e
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022