```yaml title: Remote Execution via WinRM Abuse id: edr-win-lat-winrm-abuse status: stable description: > Detects suspicious process creation where the parent is wsmprovhost.exe or winrshost.exe (WinRM session hosts on the target), spawning LOLbins commonly used for reconnaissance, persistence, or credential access. WinRM is heavily abused for lateral movement because it's enabled in many enterprise environments and spawns an execution engine distinct from PsExec or Impacket. references: - https://attack.mitre.org/techniques/T1021/006/ author: ShroudCloud date: 2026/04/15 tags: - attack.lateral_movement - attack.execution - attack.t1021.006 - attack.t1059 logsource: category: process_creation product: windows detection: parent_filter: ParentCodeSignature|notin: - 'valid' - 'verified' ParentImage|endswith: - '\wsmprovhost.exe' - '\winrshost.exe' ParentOriginalFileName|endswith: - 'Host process for WinRM plug-ins' - "Host Process for WinRM's Remote Shell plugin" parent_exclusion: ParentImage|endswith: - '\msiexec.exe' - '\svchost.exe' suspicious_children: Image|endswith: - '\schtasks.exe' - '\quser.exe' - '\qwinsta.exe' - '\tasklist.exe' - '\netstat.exe' - '\systeminfo.exe' - '\vssadmin.exe' - '\certutil.exe' - '\reg.exe' - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' condition: (parent_filter and not parent_exclusion) and suspicious_children falsepositives: - Legitimate administrative use of WinRM (baseline by source host and admin account) level: high ```