Skip to content

Hide Navigation Hide TOC

Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1)

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1) Sigma-Rules 1
Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1) Sigma-Rules System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern 2