Windows Remote Management

ID: T1028 Tactic: Execution, Lateral Movement

Windows Remote Management (WinRM) is the name of both a Windows Service and a protocol that allows a user to interact with a remote system (e.g., run an executable modify the Registry, modify services). It may be called with the winrm command or by any number of programs such as PowerShell.

Without the use of PowerShell Code execution can be accomplised with the following syntax on our attacking machine.

There are great tools that can be used when this server is available and we have credentials for the machine let's use evil-winrm for this example Winrm has been activated on the machine so we can utilize this service. With our Kali box we can attack it very simply use the proper tools.

evil-winrm -i IP -u User -p Password

PreviousRegsvr32 NextWindows Management Instrumentation (WMI)

Last updated 4 years ago

Was this helpful?