Detects a child process spawned by ‘winrshost.exe’, which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
title: Potential Lateral Movement via Windows Remote Shell
id: 79df3f68-dccb-48e9-9171-b75cbc37c51d
status: experimental
description: |
Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
references:
- https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
- https://www.ired.team/offensive-security/lateral-movement/winrs-for-lateral-movement
author: Liran Ravich
date: 2025-10-22
tags:
- attack.lateral-movement
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" powershell
ParentImage|endswith: '\winrshost.exe'
filter_main_conhost:
Image: 'C:\Windows\System32\conhost.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Legitimate use of WinRM within the organization
level: medium
imProcessCreate
| where (ParentProcessName endswith "\\winrshost.exe" or ActingProcessName endswith "\\winrshost.exe") and (not(TargetProcessName =~ "C:\\Windows\\System32\\conhost.exe"))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |