Techniques
Sample rules
Potential Lateral Movement via Windows Remote Shell
- source: sigma
- technicques:
- t1021
- t1021.006
Description
Detects a child process spawned by ‘winrshost.exe’, which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_conhost:
Image: C:\Windows\System32\conhost.exe
selection:
ParentImage|endswith: \winrshost.exe