PowerShell Remoting

PS Remoting

PSRemoting uses Windows Remote Management (WinRM). It is enabled by default on Server 2012 onwards with a firewall exception.

It is a high integrity process which means that we always get an elevated shell.

Note: This is why we need admin privileges while running PSRemotingLocalAccess to hunt admin users. Unless it is an admin user, we won't be able to use PSRemoting and hence the test.

To get a shell of another computer using PS Remoting

#Enable PowerShell Remoting on current Machine (Needs Admin Access)
Enable-PSRemoting

#Entering or Starting a new PSSession (Needs Admin Access)
Enter-PSSession -ComputerName <Name> 

#OR

$sess = New-PSSession -ComputerName <Name>
Enter-PSSession -Sessions <SessionName>

Remote Code Execution with PS Credentials

$SecPassword = ConvertTo-SecureString '<Wtver>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb.local\<WtverUser>', $SecPassword)
Invoke-Command -ComputerName <WtverMachine> -Credential $Cred -ScriptBlock {whoami}

Invoke PowerShell Module & Execute Remotely

#Execute the command and start a session
Invoke-Command -Credential $cred -ComputerName <NameOfComputer> -FilePath c:\FilePath\file.ps1 -Session $sess

#Interact with the session
Enter-PSSession -Session $sess

Remote Code Execution on Multiple Servers using a Target File

Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>) 

Invoke-Command -Scriptblock {Get-Process} -ComputerName
(Get-Content <list_of_servers>)

WinRS Executable instead of PSRemoting for Stealth

winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostname
PreviousLateral MovementNextExtracting Creds, Hashes, Tickets

Last updated