WinRM and PowerShell Pivoting

Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, that allows communication with different operating systems over RPC. WinRM supports scriptable objects which can be used to automate several administrative tasks by System admins. In order for this feature to work, you would require a privileged badger since the pivot_winrm command uses the psreflect module for powershell refection. Fork&Run processes cannot use impersonated tokens. This feature also requires that the target/remote system has WinRM service enabled and is allowed by the firewall to communicate over ports 5985 (HTTP) and 5986 (HTTPS). This can be validated using the portscan command of badger. After validating the WinRM port, the pivot_winrm command can be used to create a remote session, load the badger’s shellcode into the remote system and return a HTTP/SMB/DOH or a TCP badger. This command fully supports the loading of custom payload configuration, modifying the configuration into shellcode and loading them into memory for execution.

The above figure shows the initial scan on the port 5985 on the Domain Controller (BRDC01 - After validating the WinRM port, we can use an administrative badger (b-0), to pivot to the remote host and load our shellcode. The pivot_winrm command can launch a payload from a given payload configuration stored in the Payload Profiler and run it on a remote host. In the above figure, an SMB payload was executed which started a named pipe on the remote host and a connection was made to the named pipe using the pivot_smb command. As soon as we connect to the named pipe, we should see a badger from wsmprovhost.exe which is usually responsible for launching winrm connections on every host.