Cobalt Strike BOF that leverages WinRM plugins to execute arbitrary DLLs in a target system.
Example:
beacon> winrm-plugin-jump --system <hostname> --action install --dll <local-path-to-dll>
beacon> winrm-plugin-jump --system <hostname> --action call
beacon> winrm-plugin-jump --system <hostname> --action uninstall
Options:
--system <hostname>: Hostname of the target system--action:install: Copy the DLL to the System32 folder in the target system, register a plugin in registry and restarts WinRM service.call: Calls the WinRM Put method.uninstall: Unregisters the plugin from registry, deletes the DLL from System32 and restarts WinRM service.
--dll <path>: Path to the DLL in this system, to be used with action install (e.g:/home/kali/winrm-plugin.dll)
Notes:
- Remote Registry service will be started if required. If changes were done, its configuration will be reverted at the end of the action.
- When uninstalling, any thread still running under winprovhost.exe will end since this process will be killed.
Blog post: https://falconforce.nl/exploring-winrm-plugins-for-lateral-movement
References:
- Microsoft official documentation about WinRM API headers: https://learn.microsoft.com/en-us/windows/win32/api/_winrm/#enumerations
- Microsoft WinRM client shell example: https://github.com/microsoft/Windows-classic-samples/tree/main/Samples/Win7Samples/sysmgmt/winrm