Visit official github page
Certified Red Team Professional (CRTP) - Notes

6.1 - PowerShell Remoting & Tradecraft

PowerShell Remoting

PowerShell Remoting (PSRemoting) is a powerful tool for remote administration, often compared to PsExec but more efficient, stealthy, and faster. It utilizes Windows Remote Management (WinRM), Microsoft's implementation of the WS-Management protocol.

  • Enabled by default on Windows Server 2012+ with firewall exceptions.

  • Listens on port 5985 (HTTP) and 5986 (HTTPS).

  • Recommended for managing Windows Core servers.

  • Requires Enable-PSRemoting on Windows desktops (admin privileges needed).

  • Runs with high integrity, providing an elevated shell by default.

PSSession

This mode establishes an interactive session with only one remote system.

🔹 Key Features:

  • Runs in a new process (wsmprovhost).

  • Maintains session state.

🔹 Useful Cmdlets:

  • New-PSSession – Creates a new session.

  • Enter-PSSession – Interacts with a remote session.

Example of usage:

Enter-PSSession dcorp-adminsrv

Invoke-Command

This method executes commands across multiple systems simultaneously.

🔹 Key Features:

  • Non-interactive execution.

  • Runs commands in parallel.

🔹 Useful Cmdlet:

  • Invoke-Command – Executes commands across multiple machines.

Useful Commands

  • Run a command remotely:

Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)

  • Execute a script from a file:

Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)

  • Run a locally defined function on remote machines:

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)

  • Pass arguments to a remote function (only positional arguments allowed):

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList <args>

  • Maintain a stateful session:

$Sess = New-PSSession -ComputerName Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}

Example of usage:

#For one machine
Invoke-Command -ScriptBlock{$env:computername;$env:username} -ComputerName dcorp-adminsrv
#For multiple machines
Invoke-Command -ScriptBlock{$env:computername;$env:username} -ComputerName (cat C:\AD\Tools\servers.txt)
#Storing a command in a variable
$adminsrv = New-PSSession dcorp-adminsrv
$adminsrv
Invoke-Command -Session $adminsrv -ScriptBlock{$env:computername;$env:username}

Tradecraft

PowerShell Remoting supports system-wide transcripts and script block logging, making activities traceable. However, alternatives like winrs can evade some logging mechanisms while still leveraging port 5985.

  • Using winrs to execute commands remotely:

winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostname
winrs -r:dcorp-adminsrv set computername

Labs

Refers to Learning Object 7 lab

Previous6️⃣ 6 - Lateral MovementNext6.2 - Credentials Extraction & Mimikatz

Last updated