Description
This PowerShell script configures WinRM, sets trusted hosts, and remotely executes a PowerShell payload on a specified target machine. It supports both explicit authentication (with a username and password) and impersonation.
Overview
This PowerShell script is designed to remotely execute a PowerShell payload on a target system using WinRM (Windows Remote Management). It supports two authentication modes:
Explicit Authentication: Uses a provided username and password to authenticate.
Impersonation: Uses the current session's credentials.
Key Actions:
- Configures WinRM on the local machine:
- Enables PowerShell remoting (Enable-PSRemoting).
- Sets trusted hosts to allow connections from any system.
- Defines a payload:
- Retrieves a PowerShell script using Get-Payload with the provided Build identifier.
- Creates a script block that starts a background job to execute the payload.
- Executes the payload on the remote target:
- If credentials (Username and Password) are provided, it authenticates explicitly using Invoke-Command with credentials.
- If no credentials are provided, it runs under the current user’s security context.
This script enables remote execution via WinRM while ensuring secure credential handling and background execution of commands.
Parameters
| Name | Type | Description |
|---|---|---|
| Target | string | The IP address or hostname of the target system. |
| Username | string | The local or domain username to authenticate with. Required for explicit authentication. |
| Password | string | The password for the specified user. Required for explicit authentication. |
| Build | string | The Specter build identifier. |
Example Output
{
"Lateral": {
"Username": "[email protected]",
"Build": "remote",
"Payload": "cs_load_module",
"Success": true,
"Method": "WinRM",
"System": "192.168.1.103"
}
}