administrators may leverage winrm and winrs to start a process on remote systems, but this activity is usually limited to a small set of hosts or users.

Techniques

Sample rules

Remote Process Instantiation via WinRM and Winrs

source: splunk
technicques:
- T1021
- T1021.006

Description

This analytic looks for the execution of winrs.exe with command-line arguments utilized to start a process on a remote endpoint. Red Teams and adversaries alike may abuse the WinRM protocol and this binary for lateral movement and remote code execution.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=winrs.exe OR Processes.original_file_name=winrs.exe) (Processes.process="*-r:*" OR Processes.process="*-remote:*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| `remote_process_instantiation_via_winrm_and_winrs_filter`