Introduction
Revision Historyβ
| Date | Author | Summary |
|---|---|---|
| 08-NOV-2020 | TSgt. Bernadotte | Initial draft |
| 09-FEB-2024 | TSgt. Bernadotte | Separated from old Response Actions SOP |
| 15-APR-2025 | SSgt. Chong | Added SMB Share SOP |
| 12-FEB-2026 | CW2 Bernadotte | Fixed New-PSSessionOption command |
| 19-MAR-2026 | CW2 Bernadotte | Added End-State, Requirements, Considerations; added SSH, Impacket, RDP, and file transfer sections |
Purposeβ
The purpose of this SOP is to provide step-by-step instructions on various methods of remote host interaction including command execution, file transfer, and remote desktop β covering both Windows-to-Windows (WinRM/SMB) and Linux-to-Windows/Linux (SSH, Impacket, RDP, Samba) workflows.
End-Stateβ
- Operators can establish interactive and non-interactive remote command execution sessions on Windows hosts using PowerShell Remoting and Impacket.
- Operators can transfer files to and from remote hosts using WinRM, SMB, SSH, and HTTP-based methods.
- Operators can connect to remote hosts via RDP from both Windows and Linux.
- Operators can establish SSH tunnels for port forwarding and pivoting.
Requirementsβ
The method used for remote interaction determines what must be accessible on the target:
| Method | Protocol/Port | Remote Requirement |
|---|---|---|
| PS Remoting | WinRM 5985/TCP (HTTP) or 5986/TCP (HTTPS) | PowerShell + WinRM service running |
| PSDrive / SMB Share | SMB 445/TCP | SMB enabled, share accessible |
| SSH | 22/TCP (default) | SSH server (OpenSSH) running |
| Impacket | SMB 445/TCP or WMI 135/TCP | SMB or WMI accessible |
| RDP | 3389/TCP | Remote Desktop enabled |
Considerationsβ
- Credentials: All methods require valid credentials. Save credentials to a variable (
$Credentialin PowerShell,sshpassor key files in Linux) to avoid re-typing and reduce exposure in shell history. - OPSEC β Shell History: Command-line tools that include passwords as arguments (e.g.,
net use,smbclient,sshpass) write credentials to shell history. Sanitize history after use. See cleanup steps within each section. - OPSEC β PowerShell Logging: On monitored hosts, use
cmd.exeinstead of PowerShell where possible to avoid script block logging capturing your commands. The SMB section specifically calls this out. - Session Cleanup: Always close and remove open sessions (PSSession, PSDrive, SMB mappings, SSH tunnels) when finished to avoid leaving persistent network connections as indicators.
- Domain vs. Local Accounts: When authenticating to a domain-joined host, use
DOMAIN\usernameorusername@domain.comformat β bare username format (username) will attempt local account authentication. - Firewall: Even if WinRM or SMB is enabled on a remote host, host-based firewall rules may block inbound connections. Nmap scan results (IAW 262COS-NA-SOP-001) should confirm port accessibility before attempting connections.