Windows Remote Management (WinRM)

MITRE ATT&CK, Lateral Movement, Sub-technique T1021.006

Enabling PowerShell Remoting

In a PowerShell console running as administrator enable PowerShell Remoting:

Enable-PSRemoting –force

Set WinRM start mode to automatic:

Set-Service WinRM -StartMode Automatic

Verify start mode and state:

Get-WmiObject -Class win32_service | Where-Object {$ -like "WinRM"}

Set Remote Hosts to Trusted

Configure all hosts to be trusted:

Set-Item WSMan:localhost\client\trustedhosts -value *

Validate trusted hosts configuration:

Get-Item WSMan:\localhost\Client\TrustedHosts

Establishing a Session

Interactive session using the current user:

Enter-PsSession –ComputerName $host

Interactive session with explicit credentials:

Enter-PsSession –ComputerName $host –Credentials $domain\$user

Create a background session using the current user::

New-PSSession -ComputerName $host

Create a background session with explicit credentials:

New-PSSession –ComputerName –Credentials $domain\$user

List background sessions:


Interacting with a background session:

Enter-PsSession –id $id

Exiting out of a session:


Remove all background sessions:

Get-PSSession | Disconnect-PSSession


Last updated