WinRM shell client with built-in post-exploitation features — file upload/download, AMSI bypass, in-memory PowerShell execution.
Installation
Pick the install method that matches your stack. The Docker option is the cleanest for one-off scans where you don’t want to pollute your workstation.
Ruby gem
gem install evil-winrm
Docker
docker run --rm -ti --name evil-winrm oscarakaelvis/evil-winrm -i 10.0.0.5 -u admin -p pass
Linux (apt)
sudo apt install evil-winrm
Core commands
The handful of invocations you’ll actually run on 90% of engagements:
Connect with password
evil-winrm -i 10.0.0.5 -u admin -p pass
Connect with NTLM hash
evil-winrm -i 10.0.0.5 -u admin -H aad3b4...
Connect with Kerberos
evil-winrm -i WS01.corp.local -u admin -k
Upload file
upload local.exe C:WindowsTemplocal.exe
Run obfuscated PS1
invoke-binary "C:WindowsTempTool.exe"
Bypass AMSI
Bypass-4MSI
Performance optimisation
What separates a junior who runs the default invocation from a practitioner who knows the knobs:
-s scripts/auto-loads scripts (.ps1) into the session — savesuploadstep.-SSSL mode (port 5986) — encrypted, less detected on the wire.-cauto-confirms — useful in scripted attacks.-llog all commands to file — essential for engagement reporting.- AMSI bypass built-in (
Bypass-4MSI) — but signatures change; test in lab first.
Common pitfalls
Real failure modes that bite people on engagements. Most are recoverable; a few are reputation-damaging.
- WinRM service must be enabled on target (Windows server default; client edition often off).
- Default port 5985 (HTTP) vs 5986 (HTTPS) — choose 5986 for encrypted ops.
- EDR detects evil-winrm by user-agent + Ruby HTTP library quirks. Some go undetected; CrowdStrike/SentinelOne flag.
invoke-binaryrequires staged binary on disk — drops to disk briefly.
Modern alternatives in 2026
The ecosystem moves fast. These are tools you should at least be aware of:
- NetExec winrm — same protocol, integrated.
- WinRM-PS (PowerShell native).
India context and engagement notes
For Indian internal pen-tests: WinRM is widely enabled on Windows servers. Once you have admin creds (from Mimikatz / NTLM relay / etc.), evil-winrm is the fastest path to interactive shell. Always log commands for the report.
⚖️ Legal: Use only on systems you own or have explicit written authorisation to test. In India, unauthorised access is punishable under Section 66 of the IT Act, 2000 (up to 3 years imprisonment + fine). Pair every engagement with a signed Statement of Work or Rules of Engagement before running anything from this page.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.