PSRemoting

Windows-native remote management over WinRM (TCP 5985/5986). Enabled by default on Server 2012+ and runs as a high-integrity process. Requires administrative rights on the target and is the recommended method for managing Windows Server Core (a GUI-less server variant). Operates similarly to psexec but is quieter and faster. It supports logging via Script Block Logging and System-wide Transcription. Interactive sessions launch wsmprovhost.exe under Logon Type 3.

Session Types

PSRemoting supports:

  • Interactive (one-to-one) stateful sessions using Enter-PSSession (starts an interactive session with a remote host) and New-PSSession (creates a persistent remote session without entering it):

# One-to-one interactive session
Enter-PSSession -ComputerName dcorp-adminsrv

# One-to-one persistent session
$sess = New-PSSession -ComputerName dcorp-adminsrv
Invoke-Command -Session $sess -ScriptBlock { whoami }
# One-to-many non-interactive
Invoke-Command -ScriptBlock{$env:computername;$env:username} -ComputerName dcorp-adminsrv

# Execute local script remotely
Invoke-Command -FilePath payload.ps1 -cn (Get-Content servers.txt)

# Reuse session
$sess = New-PSSession dcorp-adminsrv
Invoke-Command -Session $sess -ScriptBlock { $env:COMPUTERNAME }

# Execute Scriptblocks on remote machines
Invoke-Command -Scriptblock {Get-Process} -cn (GC servers.txt)

# Execute local scripts on remote machines
Invoke-Command -FilePath payload.ps1 -cn (GC servers.txt)

# Execute locally loaded functions on remote machines
Invoke-Command -Scriptblock ${function:malFun} -cn (GC servers.txt)

# Execute locally loaded functions using (only) position args
Invoke-Command -Scriptblock ${function:malFun} -cn (GC servers.txt) -Args <arg>

WinRS

winrm.vbs or COM WSMan objects can be used for additional stealth or scripting scenarios.

winrs is a more OPSEC-friendly alternative to the above cmdlets. It offers remote execution over WinRM without standard PS logging:

# Execute command using implicit (current session) credentials
winrs -remote:dcorp-adminsrv $env:USERNAME

# Execute command using explitic credentials
winrs -r:dcorp-adminsrv -u:dcorp\user -p:Password123 $env:COMPUTERNAME
PreviousPowerShellNextOPSEC

Last updated

Was this helpful?