EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Winrs Local Command Execution

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

MITRE ATT&CK

T1021.006T1218
lateral-movementdefense-evasion

Detection Query

selection_img:
  - Image|endswith: \winrs.exe
  - OriginalFileName: winrs.exe
selection_local_ip:
  CommandLine|contains|windash:
    - /r:localhost
    - /r:127.0.0.1
    - /r:[::1]
    - /remote:localhost
    - /remote:127.0.0.1
    - /remote:[::1]
filter_main_remote:
  CommandLine|contains|windash:
    - "/r:"
    - "/remote:"
condition: all of selection_* or (selection_img and not 1 of filter_main_*)

Author

Liran Ravich, Nasreddine Bencherchali

Created

2025-10-22

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.lateral-movementattack.defense-evasionattack.t1021.006attack.t1218
Raw Content
title: Winrs Local Command Execution
id: bcfece3d-56fe-4545-9931-3b8e92927db1
status: experimental
description: |
    Detects the execution of Winrs.exe where it is used to execute commands locally.
    Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
references:
    - https://cardinalops.com/blog/living-off-winrm-abusing-complexity-in-remote-management/
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/winrs
author: Liran Ravich, Nasreddine Bencherchali
date: 2025-10-22
tags:
    - attack.lateral-movement
    - attack.defense-evasion
    - attack.t1021.006
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        # Note: Example of command to simulate (winrm needs to be enabled): "c:\Windows\System32\winrs.exe" calc.exe
        - Image|endswith: '\winrs.exe'
        - OriginalFileName: 'winrs.exe'
    selection_local_ip:
        CommandLine|contains|windash:
            - '/r:localhost'
            - '/r:127.0.0.1'
            - '/r:[::1]'
            - '/remote:localhost'
            - '/remote:127.0.0.1'
            - '/remote:[::1]'
    filter_main_remote:
        CommandLine|contains|windash:
            - "/r:"
            - "/remote:"
    condition: all of selection_* or (selection_img and not 1 of filter_main_*)
falsepositives:
    - Unlikely
level: high