```yaml title: Clustered Suspicious Process Creation Across Multiple Hosts id: edr-win-corr-proc-cluster-multi-host status: experimental description: > Correlation rule flagging clustered process creation events on Windows within a 30-minute window for a single user across 2+ distinct hosts, where unverified or WinRM-related parent processes spawn children with command-line arguments suggesting reconnaissance, persistence, or malicious activity. Detects the hands-on-keyboard pattern of an operator pivoting through multiple systems via remote execution. references: - https://attack.mitre.org/techniques/T1021/006/ author: ShroudCloud date: 2026/04/16 tags: - attack.lateral_movement - attack.execution - attack.t1021.006 logsource: category: process_creation product: windows detection: parent_filter: ParentCodeSignature|notin: - 'valid' - 'verified' ParentImage|endswith: - '\wsmprovhost.exe' - '\winrshost.exe' ParentOriginalFileName|endswith: - 'Host process for WinRM plug-ins' - "Host Process for WinRM's Remote Shell plugin" parent_exclusion: ParentImage|endswith: - '\msiexec.exe' - '\svchost.exe' suspicious_cmdline: CommandLine|contains: - 'schtasks' - 'qwinsta' - 'tasklist' - 'certutil' - 'vssadmin' - 'quser' - 'netstat' clustering: timeframe: '30m' group_by: - 'User' event_threshold: 3 host_threshold: 2 condition: (parent_filter and not parent_exclusion) and suspicious_cmdline | count() by User within 30m and distinct(ComputerName) >= 2 falsepositives: - Legitimate administrative scripts executed via WinRM across multiple hosts level: critical ```