The Adversary will try to move laterally in the environment in search for some critical
servers/assets.
• Some of the techniques that can be used are :
• PowerShell Remoting
• Windows Management Instrumentation (WMI)
• Invoke-Mimikatz.ps1 etc
• It is advised to choose a method which is stealth and leave almost no footprints on ANY
machines the Adversary is targeting.
PowerShell Remoting
It used WinRM protocol and runs by-default on TCP ports 5985 (HTTP) and 5986 (HTTPS)
• It is a recommended way to manage Windows core servers.
• This comes enabled by-default from Windows Server 2012.
• Adversary uses this utility to connect to remote computers/servers and execute commands upon
achieving high privileges.
• Example : Invoke-Command, New-PSSession, Enter-PSSession
Configuration is easy “Enable-PSRemoting -SkipNetworkProfileCheck -Verbose -Force” as
administrator.
• It is used to run commands and scripts on :
• Windows Servers/workstations
• Linux machines too (PowerShell is Open-Source project)
• Example commands :
