Professional Documents
Culture Documents
WINRM (Windows Remote Management)
WINRM (Windows Remote Management)
● Regardless of the transport protocol used (HTTP or HTTPS), WinRM always encrypts all PowerShell
remoting communication after initial authentication.
● When a client connects to a domain server using its computer name, the default authentication protocol
is Kerberos. Kerberos guarantees both the user identity and server identity.
● When a client connects to a domain server using its IP address, or connects to a workgroup server,
Kerberos authentication isn't possible. In that case, PowerShell Remoting relies on the NTLM
authentication protocol.
● You can configure target servers to use SSL for PowerShell Remoting. Assigning a SSL certificate to the
target server.
Security Issues (By Black Hat USA 2014)
● The attacker can obtain administrator-equivalent rights on the target system - most typically, the
credentials for a privileged domain account
● The attacker can laterally access the target system over common Windows ports and protocols (e.g.
SMB, NetBIOS, and / or WinRM)
● The attacker can bypass the default “Restricted” policy under which PowerShell will execute scripts.
● The attacker can remotely enable PowerShell remoting and the WinRM service on a remote host by
means of other native-Windows commands - such as through a scheduled task (“at” command), the
service control manager (“sc” command), or Windows Management Instrumentation (WMI)
How does WINRM work?
● When you submit a remote command, the command is transmitted across the network to the PowerShell
engine on the remote computer, and it runs in the PowerShell client on the remote computer. The
command results are sent back to the local computer and appear in the PowerShell session on the local
computer.
● The necessary commands that we need to use to connect to a remote computer are:
● You can also use commands to run powershell commands without even have it installed in the other
computer and it will appear with a Computername parameter (it’s because it doesn’t use WINRM)
● https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=pow
ershell-7.3
● INVESTIGATING POWERSHELL ATTACKS Black Hat USA 2014 by Ryan Kazanciyan, Matt
Hastings
● https://devblogs.microsoft.com/scripting/table-of-basic-powershell-commands/
● https://dzone.com/articles/cloud-automation-winrm-vs-ssh