WinRS for Lateral Movement

It's possible to use a native Windows binary winrs to connect to a remote endpoint via WinRM like so:

winrs -r:ws01 "cmd /c hostname & notepad"

Below shows how we connect from DC01 to WS01 and execute two processes hostname,notepad and the process partent/child relationship for processes spawned by the winrshost.exe:

References

WS-Management COM: Another Approach for WinRM Lateral Movementbohops

PreviousWinRM for Lateral Movement NextWMI for Lateral Movement

Last updated 3 years ago