search

PSRemoting

Windows-native remote management over WinRM (TCP 5985/5986). Enabled by default on Server 2012+ and runs as a high-integrity process. Requires administrative rights on the target and is the recommended method for managing Windows Server Core (a GUI-less server variant). Operates similarly to psexec but is quieter and faster. It supports logging via Script Block Logging and System-wide Transcription. Interactive sessions launch wsmprovhost.exe under Logon Type 3.

hashtag
Session Types

PSRemoting supports:

# One-to-one interactive session
Enter-PSSession -ComputerName dcorp-adminsrv

# One-to-one persistent session
$sess = New-PSSession -ComputerName dcorp-adminsrv
Invoke-Command -Session $sess -ScriptBlock { whoami }
# One-to-many non-interactive
Invoke-Command -ScriptBlock{$env:computername;$env:username} -ComputerName dcorp-adminsrv

# Execute local script remotely
Invoke-Command -FilePath payload.ps1 -cn (Get-Content servers.txt)

# Reuse session
$sess = New-PSSession dcorp-adminsrv
Invoke-Command -Session $sess -ScriptBlock { $env:COMPUTERNAME }

# Execute Scriptblocks on remote machines
Invoke-Command -Scriptblock {Get-Process} -cn (GC servers.txt)

# Execute local scripts on remote machines
Invoke-Command -FilePath payload.ps1 -cn (GC servers.txt)

# Execute locally loaded functions on remote machines
Invoke-Command -Scriptblock ${function:malFun} -cn (GC servers.txt)

# Execute locally loaded functions using (only) position args
Invoke-Command -Scriptblock ${function:malFun} -cn (GC servers.txt) -Args <arg>

hashtag
WinRS

circle-info

winrm.vbsarrow-up-right or COM WSMan objectsarrow-up-right can be used for additional stealth or scripting scenarios.

winrsarrow-up-right is a more OPSEC-friendly alternative to the above cmdlets. It offers remote execution over WinRM without standard PS logging:

PreviousPowerShellNextC2s

Last updated