Windows Remote Management (WinRM)
MITRE ATT&CK, Lateral Movement, Sub-technique T1021.006
Enabling PowerShell Remoting
In a PowerShell console running as administrator enable PowerShell Remoting:
Enable-PSRemoting –force
Set WinRM start mode to automatic:
Set-Service WinRM -StartMode Automatic
Verify start mode and state:
Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
Set Remote Hosts to Trusted
Configure all hosts to be trusted:
Set-Item WSMan:localhost\client\trustedhosts -value *
Validate trusted hosts configuration:
Get-Item WSMan:\localhost\Client\TrustedHosts
Establishing a Session
Interactive session using the current user:
Enter-PsSession –ComputerName $host
Interactive session with explicit credentials:
Enter-PsSession –ComputerName $host –Credentials $domain\$user
Create a background session using the current user::
New-PSSession -ComputerName $host
Create a background session with explicit credentials:
New-PSSession –ComputerName server1.domain.com –Credentials $domain\$user
List background sessions:
Get-PSSession
Interacting with a background session:
Enter-PsSession –id $id
Exiting out of a session:
Exit-PsSession
Remove all background sessions:
Get-PSSession | Disconnect-PSSession
References
Last updated