evil-winrm
Manage Windows systems remotely via WinRM
TLDR
Connect to a host
Connect to a host using pass-the-hash authentication instead of a password
Connect to a host, specifying directories for PowerShell scripts and executables
Connect to a host, using SSL
Upload a file to the host
List all loaded PowerShell functions
Load a PowerShell script from the --scripts directory
Invoke a binary on the host from the --executables directory
SYNOPSIS
evil-winrm -i target_ip -u username -p password [options]
evil-winrm -i target_ip -u username -H ntlm_hash [options]
PARAMETERS
-i, --target IP
Specifies the target IP address or hostname of the Windows machine.
-u, --user username
Provides the username for authentication on the target machine.
-p, --password password
Specifies the password for authentication. Use with -u.
-H, --hash NTLM_hash
Provides the NTLM hash for authentication. An alternative to using a clear-text password.
-P, --port port
Sets the WinRM port (default: 5985 for HTTP, 5986 for HTTPS).
-S, --ssl
Enables SSL for WinRM communication. Used automatically for port 5986.
-s, --shell path
Specifies a custom shell executable path on the target (e.g., cmd.exe, powershell.exe).
-e, --exec command
Executes a single command on the target and then exits.
-r, --resource script_path
Executes commands from a specified resource script file locally before establishing the session.
-x, --no-cleanup
Prevents the removal of the evil-winrm binary from the target machine after exiting.
-f, --files local_path:remote_path
Uploads or downloads files before/after command execution when used with --exec.
-l, --log path
Logs the session output to a specified file.
-v, --verbose
Enables verbose output for detailed debugging information.
-h, --help
Displays the help message and exits.
DESCRIPTION
evil-winrm is a Ruby-based command-line tool designed for penetration testers and red teamers to interact with Windows machines using the Windows Remote Management (WinRM) protocol. It provides an interactive PowerShell session, enabling users to execute commands, upload/download files, bypass AMSI, and load PowerShell scripts in memory. Its primary use case is post-exploitation and lateral movement within a compromised Windows environment, offering a robust and often less-monitored alternative to other remote execution methods. It supports authentication via username/password or NTLM hashes, making it a versatile tool for offensive operations.
CAVEATS
Caveats and Limitations:
1. Requires the WinRM service to be enabled and properly configured on the target Windows machine.
2. Firewall rules on the target might need to be adjusted to permit WinRM traffic (ports 5985/5986).
3. Using clear-text passwords or NTLM hashes can expose credentials if network traffic is not encrypted.
4. While effective, activities performed via evil-winrm can still be detected by advanced Endpoint Detection and Response (EDR) solutions or antivirus software.
5. Default behavior cleans up artifacts, but not all traces are guaranteed to be removed.
INTERACTIVE SESSION COMMANDS
Within an active evil-winrm session, users can execute built-in commands such as upload (to transfer local files to the target), download (to retrieve files from the target), menu_ps (to load common PowerShell scripts from a local menu), invoke_shellcode, and amsi_bypass, providing extended functionality beyond standard PowerShell.
AMSI AND SCRIPT BYPASS
A significant feature of evil-winrm is its ability to often bypass the Anti-Malware Scan Interface (AMSI) and other security measures, allowing the execution of malicious PowerShell scripts that would otherwise be blocked by Windows Defender or other security products. It can also load scripts directly into memory, further reducing forensic footprint.
AUTHENTICATION METHODS
The tool supports multiple authentication methods, primarily username/password and NTLM hash-based authentication, making it versatile for various credential access scenarios obtained during penetration tests.
HISTORY
evil-winrm emerged as a specialized and feature-rich tool within the offensive security community to provide a robust interactive shell over the Windows Remote Management (WinRM) protocol. It was developed to streamline post-exploitation tasks, offering capabilities like AMSI bypass, in-memory script execution, and simplified file transfers. Its ease of use and powerful features quickly made it a staple for penetration testers and red teamers for lateral movement and maintaining persistence in Windows environments.
SEE ALSO
powershell(1), impacket(1), crackmapexec(1), nmap(1), wmic(1)