windows-lateral-movement
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill contains a large volume of command-line instructions for Windows exploitation, including service creation via PsExec, process manipulation, and registry modification for enabling Restricted Admin mode.
- [REMOTE_CODE_EXECUTION]: Detailed playbooks are provided for achieving remote code execution via multiple protocols including SMB (PsExec), WMI, WinRM, DCOM, and Scheduled Tasks (atexec).
- [CREDENTIALS_UNSAFE]: Comprehensive guides for dumping sensitive information from the Local Security Authority Subsystem Service (LSASS) memory, Security Account Manager (SAM) registry hive, and Active Directory database (NTDS.dit). It includes specific techniques for bypassing Protected Process Light (PPL) and utilizing debug privileges.
- [DATA_EXFILTRATION]: Includes instructions for establishing network tunnels and proxies using Chisel, Ligolo-ng, and SSH to facilitate pivoting and data movement across internal network boundaries.
- [PERSISTENCE_MECHANISMS]: Documents methods for maintaining access through WMI event subscription persistence, allowing for command execution triggered by system events.
Audit Metadata