Skip to main content

Introduction


Revision History​

DateAuthorSummary
08-NOV-2020TSgt. BernadotteInitial draft
09-FEB-2024TSgt. BernadotteSeparated from old Response Actions SOP
15-APR-2025SSgt. ChongAdded SMB Share SOP
12-FEB-2026CW2 BernadotteFixed New-PSSessionOption command
19-MAR-2026CW2 BernadotteAdded End-State, Requirements, Considerations; added SSH, Impacket, RDP, and file transfer sections

Purpose​

The purpose of this SOP is to provide step-by-step instructions on various methods of remote host interaction including command execution, file transfer, and remote desktop β€” covering both Windows-to-Windows (WinRM/SMB) and Linux-to-Windows/Linux (SSH, Impacket, RDP, Samba) workflows.


End-State​

  • Operators can establish interactive and non-interactive remote command execution sessions on Windows hosts using PowerShell Remoting and Impacket.
  • Operators can transfer files to and from remote hosts using WinRM, SMB, SSH, and HTTP-based methods.
  • Operators can connect to remote hosts via RDP from both Windows and Linux.
  • Operators can establish SSH tunnels for port forwarding and pivoting.

Requirements​

The method used for remote interaction determines what must be accessible on the target:

MethodProtocol/PortRemote Requirement
PS RemotingWinRM 5985/TCP (HTTP) or 5986/TCP (HTTPS)PowerShell + WinRM service running
PSDrive / SMB ShareSMB 445/TCPSMB enabled, share accessible
SSH22/TCP (default)SSH server (OpenSSH) running
ImpacketSMB 445/TCP or WMI 135/TCPSMB or WMI accessible
RDP3389/TCPRemote Desktop enabled

Considerations​

  • Credentials: All methods require valid credentials. Save credentials to a variable ($Credential in PowerShell, sshpass or key files in Linux) to avoid re-typing and reduce exposure in shell history.
  • OPSEC β€” Shell History: Command-line tools that include passwords as arguments (e.g., net use, smbclient, sshpass) write credentials to shell history. Sanitize history after use. See cleanup steps within each section.
  • OPSEC β€” PowerShell Logging: On monitored hosts, use cmd.exe instead of PowerShell where possible to avoid script block logging capturing your commands. The SMB section specifically calls this out.
  • Session Cleanup: Always close and remove open sessions (PSSession, PSDrive, SMB mappings, SSH tunnels) when finished to avoid leaving persistent network connections as indicators.
  • Domain vs. Local Accounts: When authenticating to a domain-joined host, use DOMAIN\username or username@domain.com format β€” bare username format (username) will attempt local account authentication.
  • Firewall: Even if WinRM or SMB is enabled on a remote host, host-based firewall rules may block inbound connections. Nmap scan results (IAW 262COS-NA-SOP-001) should confirm port accessibility before attempting connections.