Personal BlogTwitterGitHubContact

Windows Remote Management (WinRM)

MITRE ATT&CK, Lateral Movement, Sub-technique T1021.006

Enabling PowerShell Remoting

In a PowerShell console running as administrator enable PowerShell Remoting:

Enable-PSRemoting –force

Set WinRM start mode to automatic:

Set-Service WinRM -StartMode Automatic

Verify start mode and state:

Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}

Set Remote Hosts to Trusted

Configure all hosts to be trusted:

Set-Item WSMan:localhost\client\trustedhosts -value *

Validate trusted hosts configuration:

Get-Item WSMan:\localhost\Client\TrustedHosts

Establishing a Session

Interactive session using the current user:

Enter-PsSession –ComputerName $host

Interactive session with explicit credentials:

Enter-PsSession –ComputerName $host –Credentials $domain\$user

Create a background session using the current user::

New-PSSession -ComputerName $host

Create a background session with explicit credentials:

New-PSSession –ComputerName server1.domain.com –Credentials $domain\$user

List background sessions:

Get-PSSession

Interacting with a background session:

Enter-PsSession –id $id

Exiting out of a session:

Exit-PsSession

Remove all background sessions:

Get-PSSession | Disconnect-PSSession

References

LogoWinRM for Lateral Movement | Red Team Noteswww.ired.team
LogoPowerShell Remoting CheatsheetNetSPI
LogoEnable-PSRemoting (Microsoft.PowerShell.Core) - PowerShellMicrosoftLearn
LogoEnable and Use Remote Commands in Windows PowerShellMicrosoftLearn
LogoWindows PowerShell - Cool Pipeline Tricks, ReduxMicrosoftLearn
PreviousPowerShellNextLocal Administrator Password Solution (LAPS)

Last updated