# PowerShell Remoting

## PS Remoting

PSRemoting uses Windows Remote Management (WinRM). It is enabled by default on Server 2012 onwards with a firewall exception.&#x20;

It is a high integrity process which means that we always get an elevated shell.

**Note:** This is why we need admin privileges while running PSRemotingLocalAccess to hunt admin users. Unless it is an admin user, we won't be able to use PSRemoting and hence the test.

**To get a shell of another computer using PS Remoting**

```powershell
#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
Enter-PSSession -ComputerName <Name> 

#OR

$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -Sessions <SessionName>
```

### Remote Code Execution with PS Credentials

{% code overflow="wrap" %}

```powershell
$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}
```

{% endcode %}

### Invoke PowerShell Module & Execute Remotely

{% code overflow="wrap" %}

```powershell
#Execute the command and start a session
Invoke-Command -Credential $cred -ComputerName <NameOfComputer> -FilePath c:\FilePath\file.ps1 -Session $sess

#Interact with the session
Enter-PSSession -Session $sess    
```

{% endcode %}

### Remote Code Execution on Multiple Servers using a Target File

{% code overflow="wrap" %}

```powershell
Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>) 

Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>) 
```

{% endcode %}

### WinRS Executable instead of PSRemoting for Stealth

{% code overflow="wrap" %}

```powershell
winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostname
```

{% endcode %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://playbook.sidthoviti.com/active-directory-pentest/lateral-movement/powershell-remoting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.