LinuxCommandLibrary

evil-winrm

Manage Windows systems remotely via WinRM

TLDR

Connect to a host

$ evil-winrm [[-i|--ip]] [ip] [[-u|--user]] [user] [[-p|--password]] [password]
copy

Connect to a host using pass-the-hash authentication instead of a password
$ evil-winrm [[-i|--ip]] [ip] [[-u|--user]] [user] [[-H|--hash]] [nt_hash]
copy

Connect to a host, specifying directories for PowerShell scripts and executables
$ evil-winrm [[-i|--ip]] [ip] [[-u|--user]] [user] [[-p|--password]] [password] [[-s|--scripts]] [path/to/scripts] [[-e|--executables]] [path/to/executables]
copy

Connect to a host, using SSL
$ evil-winrm [[-i|--ip]] [ip] [[-u|--user]] [user] [[-p|--password]] [password] [[-S|--ssl]] [[-c|--pub-key]] [path/to/pubkey] [[-k|--priv-key]] [path/to/privkey]
copy

Upload a file to the host
$ PS > upload [path/to/local/file] [path/to/remote/file]
copy

List all loaded PowerShell functions
$ PS > menu
copy

Load a PowerShell script from the --scripts directory
$ PS > [script.ps1]
copy

Invoke a binary on the host from the --executables directory
$ PS > Invoke-Binary [binary.exe]
copy

SYNOPSIS

evil-winrm -i target_ip -u username -p password [options]
evil-winrm -i target_ip -u username -H ntlm_hash [options]

PARAMETERS

-i, --target IP
    Specifies the target IP address or hostname of the Windows machine.

-u, --user username
    Provides the username for authentication on the target machine.

-p, --password password
    Specifies the password for authentication. Use with -u.

-H, --hash NTLM_hash
    Provides the NTLM hash for authentication. An alternative to using a clear-text password.

-P, --port port
    Sets the WinRM port (default: 5985 for HTTP, 5986 for HTTPS).

-S, --ssl
    Enables SSL for WinRM communication. Used automatically for port 5986.

-s, --shell path
    Specifies a custom shell executable path on the target (e.g., cmd.exe, powershell.exe).

-e, --exec command
    Executes a single command on the target and then exits.

-r, --resource script_path
    Executes commands from a specified resource script file locally before establishing the session.

-x, --no-cleanup
    Prevents the removal of the evil-winrm binary from the target machine after exiting.

-f, --files local_path:remote_path
    Uploads or downloads files before/after command execution when used with --exec.

-l, --log path
    Logs the session output to a specified file.

-v, --verbose
    Enables verbose output for detailed debugging information.

-h, --help
    Displays the help message and exits.

DESCRIPTION

evil-winrm is a Ruby-based command-line tool designed for penetration testers and red teamers to interact with Windows machines using the Windows Remote Management (WinRM) protocol. It provides an interactive PowerShell session, enabling users to execute commands, upload/download files, bypass AMSI, and load PowerShell scripts in memory. Its primary use case is post-exploitation and lateral movement within a compromised Windows environment, offering a robust and often less-monitored alternative to other remote execution methods. It supports authentication via username/password or NTLM hashes, making it a versatile tool for offensive operations.

CAVEATS

Caveats and Limitations:
1. Requires the WinRM service to be enabled and properly configured on the target Windows machine.
2. Firewall rules on the target might need to be adjusted to permit WinRM traffic (ports 5985/5986).
3. Using clear-text passwords or NTLM hashes can expose credentials if network traffic is not encrypted.
4. While effective, activities performed via evil-winrm can still be detected by advanced Endpoint Detection and Response (EDR) solutions or antivirus software.
5. Default behavior cleans up artifacts, but not all traces are guaranteed to be removed.

INTERACTIVE SESSION COMMANDS

Within an active evil-winrm session, users can execute built-in commands such as upload (to transfer local files to the target), download (to retrieve files from the target), menu_ps (to load common PowerShell scripts from a local menu), invoke_shellcode, and amsi_bypass, providing extended functionality beyond standard PowerShell.

AMSI AND SCRIPT BYPASS

A significant feature of evil-winrm is its ability to often bypass the Anti-Malware Scan Interface (AMSI) and other security measures, allowing the execution of malicious PowerShell scripts that would otherwise be blocked by Windows Defender or other security products. It can also load scripts directly into memory, further reducing forensic footprint.

AUTHENTICATION METHODS

The tool supports multiple authentication methods, primarily username/password and NTLM hash-based authentication, making it versatile for various credential access scenarios obtained during penetration tests.

HISTORY

evil-winrm emerged as a specialized and feature-rich tool within the offensive security community to provide a robust interactive shell over the Windows Remote Management (WinRM) protocol. It was developed to streamline post-exploitation tasks, offering capabilities like AMSI bypass, in-memory script execution, and simplified file transfers. Its ease of use and powerful features quickly made it a staple for penetration testers and red teamers for lateral movement and maintaining persistence in Windows environments.

SEE ALSO

powershell(1), impacket(1), crackmapexec(1), nmap(1), wmic(1)

Copied to clipboard