To connect from your attacking machine to a remote target machine using a local user account, you need to configure both sides (client and server) carefully because:

• You're not using domain credentials (local user = non-domain).
• WinRM over HTTP with local user needs Basic authentication + unencrypted traffic allowed (unless you're using HTTPS).

Remote Machine Configuration

1. 🔒 Create Local User and Add to Groups

net user NewUser P@ssw0rd! /add
net localgroup Administrators NewUser /add
net localgroup "Remote Management Users" NewUser /add

2. ⚙️ Enable WinRM + Set Authentication Settings

winrm quickconfig -q
winrm set winrm/config/service/auth @{Basic="true"}
winrm set winrm/config/service @{AllowUnencrypted="true"}

3. 📤 Open Firewall for WinRM

netsh advfirewall firewall add rule name="WinRM HTTP" dir=in action=allow protocol=TCP localport=5985

Attacker Machine Configuration (Windows)

1. 🛑 Allow Unencrypted + Basic (for local user authentication)

winrm set winrm/config/client/auth @{Basic="true"}
winrm set winrm/config/client @{AllowUnencrypted="true"}

2. 🖥️ Add Remote Machine to Trusted Hosts

Replace RemoteComputerName or IP address:

winrm set winrm/config/client @{TrustedHosts="RemoteComputerName"}

If you're unsure or testing many, you can allow all (not secure):

winrm set winrm/config/client @{TrustedHosts="*"}