Windows Remote Management
ID: T1028 Tactic: Execution, Lateral Movement
Windows Remote Management (WinRM) is the name of both a Windows Service and a protocol that allows a user to interact with a remote system (e.g., run an executable modify the Registry, modify services). It may be called with the
winrmcommand or by any number of programs such as PowerShell.
Without the use of PowerShell Code execution can be accomplised with the following syntax on our attacking machine.
There are great tools that can be used when this server is available and we have credentials for the machine let's use
evil-winrmfor this example Winrm has been activated on the machine so we can utilize this service. With our Kali box we can attack it very simply use the proper tools.
evil-winrm -i IP -u User -p Password