This analytic rule detects the execution of the `winrs.exe` command for remote process creation on targeted systems. Utilizing data from Endpoint Detection and Response (EDR) tools like Sysmon and Windows Event Logs, the rule monitors for specific command-line arguments indicating remote execution attempts. Given that such activities are often associated with lateral movement or unauthorized remote access, identifying these events is crucial for maintaining network security. The search utilizes criteria from the Endpoint data model focusing on the attributes of the processes involved, namely the destination, user, and parent process name. The detection is especially relevant as it could represent malicious intrusions aiming to exploit remote system capabilities, allowing potential attackers to run arbitrary code. Known false positives may arise from legitimate administrative actions, necessitating careful interpretation of results to distinguish between benign and malicious use.