Process

unknown

winrs.exe

winrs.exe is the Windows Remote Shell client, which runs commands on a remote machine over WinRM. Administrators use it for remote management from the command line. Attackers use it for lateral movement, running commands on other hosts with stolen credentials.

CategoryUtilityTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

winrs.exe is the command-line front end to Windows Remote Management. With winrs /r:<host> <command> it executes a command on a remote computer over WinRM, optionally with supplied credentials. The command runs on the target, where it is hosted by wsmprovhost.exe. The genuine binary lives at C:\Windows\System32\winrs.exe.

Legitimately, winrs is used by administrators to run commands across servers without an interactive session. The target host, the command, and the credentials used are what give an instance meaning.

Security notes

winrs.exe is a lateral-movement tool over WinRM (T1021.006). With stolen credentials, winrs /r:target cmd /c ... runs commands on another machine, where they surface under wsmprovhost.exe on the target rather than as children of winrs on the source. It is the command-line counterpart to PowerShell Remoting and a quiet way to execute across the network.

Because winrs is a legitimate remote-management tool, the destinations, the commands, and the account are what matter. winrs reaching hosts an account has no reason to manage, launching shells remotely, or fanning a command across many machines points to an operator moving laterally rather than routine administration.

Anomaly signals5
  • Image path other than C:\Windows\System32\winrs.exehigh
  • /r:<host> running commands on machines an account does not normally managehigh
  • Launching shells or LOLBINs on the remote hosthigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • Used to fan out the same command across many hostsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof winrs.exe?
Edit this page on GitHub