Skip to content

Hide Navigation Hide TOC

Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1)

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1) Sigma-Rules 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Winrs Local Command Execution (bcfece3d-56fe-4545-9931-3b8e92927db1) Sigma-Rules 1
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2