Lateral Movement โ From Windows
Quick Reference Technique Tool Requirement Pass-the-Hash (PtH) Mimikatz, Invoke-TheHash, PsExec Local Admin / NTLM hash Pass-the-Ticket (PtT) Rubeus, Mimikatz Valid Kerberos ticket (.kirbi / base64) Overpass-the-Hash Mimikatz, Rubeus NTLM or AES256 hash WMI Exec PowerShell WMI, wmic, SharpWMI Local Admin on target DCOM Exec PowerShell COM objects Local Admin / DCOM permissions PowerShell Remoting Enter-PSSession, Invoke-Command WinRM enabled, appropriate rights PsExec Sysinternals PsExec Local Admin, ADMIN$ writable Remote Service sc.exe Local Admin on target Scheduled Task schtasks.exe Local Admin / valid credentials Token Impersonation Incognito, Invoke-TokenManipulation SeImpersonatePrivilege RDP mstsc, tscon RDP enabled, valid credentials or SYSTEM Pass-the-Hash (PtH) Pass-the-Hash abuses the NTLM authentication protocol by presenting a captured password hash directly instead of the cleartext password. The target authenticates the hash without needing the plaintext credential. ...