6.1 - PowerShell Remoting & Tradecraft

PowerShell Remoting

PowerShell Remoting (PSRemoting) is a powerful tool for remote administration, often compared to PsExec but more efficient, stealthy, and faster. It utilizes Windows Remote Management (WinRM), Microsoft's implementation of the WS-Management protocol.

• Enabled by default on Windows Server 2012+ with firewall exceptions.

• Listens on port 5985 (HTTP) and 5986 (HTTPS).

• Recommended for managing Windows Core servers.

• Requires Enable-PSRemoting on Windows desktops (admin privileges needed).

• Runs with high integrity, providing an elevated shell by default.

PSSession

This mode establishes an interactive session with only one remote system.

🔹 Key Features:

• Runs in a new process (wsmprovhost).

• Maintains session state.

🔹 Useful Cmdlets:

• New-PSSession – Creates a new session.

• Enter-PSSession – Interacts with a remote session.

Example of usage:

Enter-PSSession dcorp-adminsrv

Invoke-Command

This method executes commands across multiple systems simultaneously.

🔹 Key Features:

• Non-interactive execution.

• Runs commands in parallel.

🔹 Useful Cmdlet:

• Invoke-Command – Executes commands across multiple machines.

Useful Commands

• Run a command remotely:

Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)

• Execute a script from a file:

Invoke-Command -FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)

• Run a locally defined function on remote machines:

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)

• Pass arguments to a remote function (only positional arguments allowed):

Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList <args>

• Maintain a stateful session:

$Sess = New-PSSession -ComputerName Server1
Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}
Invoke-Command -Session $Sess -ScriptBlock {$Proc.Name}

Example of usage:

#For one machine
Invoke-Command -ScriptBlock{$env:computername;$env:username} -ComputerName dcorp-adminsrv
#For multiple machines
Invoke-Command -ScriptBlock{$env:computername;$env:username} -ComputerName (cat C:\AD\Tools\servers.txt)

#Storing a command in a variable
$adminsrv = New-PSSession dcorp-adminsrv
$adminsrv
Invoke-Command -Session $adminsrv -ScriptBlock{$env:computername;$env:username}

---

Tradecraft

PowerShell Remoting supports system-wide transcripts and script block logging, making activities traceable. However, alternatives like winrs can evade some logging mechanisms while still leveraging port 5985.

• Using winrs to execute commands remotely:

winrs -remote:server1 -u:server1\administrator -p:Pass@1234 hostname
winrs -r:dcorp-adminsrv set computername

• Using winrm.vbs and COM objects for WSMan: Refer to: GitHub - WSMan-WinRM

Labs

Refers to Learning Object 7 lab