Lateral Movement

Lateral movement is how attackers pivot through a network after compromising a single host, using valid credentials or tokens to access other systems and expand control.

Technique	Description
WMI & WinRM	Uses built-in Windows remote management tools to execute commands on remote machines. Requires administrative privileges on the target, and services must be enabled. WinRM typically communicates over HTTP/S (ports 5985/5986), while WMI uses DCOM over port 135.
PsExec	A Microsoft tool that remotely launches processes via SMB and the Service Control Manager. Requires SMB (port 445), the ADMIN$ share, and admin rights on the target. Often used for direct remote shell access.
Pass-the-Hash	Reuses a stolen NTLM hash to authenticate without knowing the actual password. Works only with NTLM-authenticated services like SMB and requires admin rights and access to shares. It enables remote code execution via tools like wmiexec or psexec.
Overpass-the-Hash	Converts an NTLM hash into a Kerberos TGT, letting attackers authenticate to Kerberos services without using NTLM. Tools like mimikatz inject the hash into memory, allowing access to RDP, WinRM, or PsExec using Kerberos instead of hashes.
Pass-the-Ticket	Involves stealing and injecting Kerberos TGS tickets, allowing access to specific services as another user. TGS tickets can be reused across systems, even without admin rights, if already present in memory.
DCOM	Executes remote commands by instantiating COM objects on a target machine. Admin privileges are needed, but it’s stealthy—no files are written to disk.