search
Personal BlogTwitterGitHubContact

Windows Remote Management (WinRM)

MITRE ATT&CK, Lateral Movement, Sub-technique T1021.006

hashtag
Enabling PowerShell Remoting

In a PowerShell console running as administrator enable PowerShell Remoting:

Enable-PSRemoting –force

Set WinRM start mode to automatic:

Set-Service WinRM -StartMode Automatic

Verify start mode and state:

Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}

hashtag
Set Remote Hosts to Trusted

Configure all hosts to be trusted:

Set-Item WSMan:localhost\client\trustedhosts -value *

Validate trusted hosts configuration:

Get-Item WSMan:\localhost\Client\TrustedHosts

hashtag
Establishing a Session

Interactive session using the current user:

Enter-PsSession –ComputerName $host

Interactive session with explicit credentials:

Create a background session using the current user::

Create a background session with explicit credentials:

List background sessions:

Interacting with a background session:

Exiting out of a session:

Remove all background sessions:

hashtag
References

LogoWinRM for Lateral Movement | Red Team Noteswww.ired.teamchevron-right
LogoPowerShell Remoting CheatsheetNetSPIchevron-right
LogoEnable-PSRemoting (Microsoft.PowerShell.Core) - PowerShellMicrosoftLearnchevron-right
LogoEnable and Use Remote Commands in Windows PowerShellMicrosoftLearnchevron-right
LogoWindows PowerShell - Cool Pipeline Tricks, ReduxMicrosoftLearnchevron-right
PreviousPowerShellNextLocal Administrator Password Solution (LAPS)

Last updated