Skip to content

Hide Navigation Hide TOC

Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1)

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

Cluster A Galaxy A Cluster B Galaxy B Level
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1) Sigma-Rules 1
Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1) Sigma-Rules Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2