Skip to content

Hide Navigation Hide TOC

Potential Lateral Movement via Windows Remote Shell (79df3f68-dccb-48e9-9171-b75cbc37c51d)

Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.

Cluster A Galaxy A Cluster B Galaxy B Level
Potential Lateral Movement via Windows Remote Shell (79df3f68-dccb-48e9-9171-b75cbc37c51d) Sigma-Rules Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2