Lateral Movement

The Adversary will try to move laterally in the environment in search for some critical servers/assets. • Some of the techniques that can be used are : • PowerShell Remoting • Windows Management Instrumentation (WMI) • Invoke-Mimikatz.ps1 etc • It is advised to choose a method which is stealth and leave almost no footprints on ANY machines the Adversary is targeting.

PowerShell Remoting

It used WinRM protocol and runs by-default on TCP ports 5985 (HTTP) and 5986 (HTTPS) • It is a recommended way to manage Windows core servers. • This comes enabled by-default from Windows Server 2012. • Adversary uses this utility to connect to remote computers/servers and execute commands upon achieving high privileges. • Example : Invoke-Command, New-PSSession, Enter-PSSession

Configuration is easy “Enable-PSRemoting -SkipNetworkProfileCheck -Verbose -Force” as administrator. • It is used to run commands and scripts on : • Windows Servers/workstations • Linux machines too (PowerShell is Open-Source project) • Example commands :

$session = New-PSSession –Computername Windows-Server
Invoke-Command –Session $session –ScriptBlock {Whoami;hostname}
Enter-Pssession –Session $session -verbose