Rule Info
Name
Potential Lateral Movement Via Windows Remote Management (WinRM) - Suspicious Process Tree
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects suspicious process tree of "winrshost.exe". This indicate remote execution via Windows Remote Management (WinRM) and could be a sign of potential lateral movement activity.
Date
2024-05-03 00:00:00
Modified
None
Id
dd71e47a-6b6a-48a1-826a-62ae33cc106e
Tags
attack.execution
Type
Nextron Sigma feed only (private)