Detection rules › Sigma
Winrs Local Command Execution
Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1218 System Binary Proxy Execution |
| Lateral Movement | T1021.006 Remote Services: Windows Remote Management |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
Image|endswith: '\winrs.exe'
OriginalFileName: winrs.exe
Stage 2: all of selection_local_ip
or:
CommandLine|contains: '/r:127.0.0.1'
CommandLine|contains: '/r:[::1]'
CommandLine|contains: '/r:localhost'
CommandLine|contains: '/remote:127.0.0.1'
CommandLine|contains: '/remote:[::1]'
CommandLine|contains: '/remote:localhost'
Stage 3: selection_img
or:
Image|endswith: '\winrs.exe'
OriginalFileName: winrs.exe
Stage 4: not 1 of filter_main_remote
or:
CommandLine|contains: '/r:'
CommandLine|contains: '/remote:'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|