Lateral Movement via WinRM Brief

What It Is

Using the built-in Windows Remote Management service to execute commands on remote systems with valid credentials. WinRM is the transport for PowerShell Remoting and provides a full interactive command execution channel over port 5985 (HTTP) or 5986 (HTTPS).

Preconditions

Valid credentials (password, NT hash, or Kerberos ticket) for an account in the local Administrators or Remote Management Users group on the target. WinRM must be enabled — it is on by default on Windows Server 2012+ and commonly pushed via GPO to workstations.

Attacker Gain

An interactive or scripted command execution channel on the remote system. Enables command execution, file access, LSASS extraction, and pivoting. No new service creation (unlike PsExec), less forensic footprint, and functionally identical to legitimate administration.

Why Attackers Choose WinRM

Uses an existing service — no service creation artifact (vs PsExec Event ID 7045)
Standard authentication — Pass the Hash and Pass-the-Ticket both work
Interactive PowerShell session — supports complex multi-step operations
Enabled by default on servers — no attacker configuration needed
Difficult to distinguish from legitimate admin activity at the protocol level

Stakeholder Explanation

An attacker with stolen credentials uses the built-in remote management service to connect to computers and run commands. The connection looks identical to normal administrative activity — no exploit or special tools needed. Defenses: source IP restrictions, PowerShell logging, connection pattern monitoring.

Report Phrasing

Finding: Lateral Movement via WinRM. The operator authenticated to WinRM (port 5985) on [hosts] using [credential source]. Interactive sessions provided [access level]. [Further actions taken]. WinRM enabled with no source IP restrictions. No PowerShell Script Block Logging. Severity: High. Recommendation: Restrict WinRM to admin jump hosts. Enable PowerShell logging. Monitor unexpected connections.