Windows Remote Management (WinRM)

MITRE ATT&CK, Lateral Movement, Sub-technique T1021.006

In a PowerShell console running as administrator enable PowerShell Remoting:

Enable-PSRemoting –force

Set WinRM start mode to automatic:

Set-Service WinRM -StartMode Automatic

Verify start mode and state:

Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}

Configure all hosts to be trusted:

Set-Item WSMan:localhost\client\trustedhosts -value *

Validate trusted hosts configuration:

Get-Item WSMan:\localhost\Client\TrustedHosts

Interactive session using the current user:

Enter-PsSession –ComputerName $host

Interactive session with explicit credentials:

Enter-PsSession –ComputerName $host –Credentials $domain\$user

Create a background session using the current user::

New-PSSession -ComputerName $host

Create a background session with explicit credentials:

New-PSSession –ComputerName server1.domain.com –Credentials $domain\$user

List background sessions:

Get-PSSession

Interacting with a background session:

Enter-PsSession –id $id

Exiting out of a session:

Exit-PsSession

Remove all background sessions:

Get-PSSession | Disconnect-PSSession

References

Last updated 2 years ago