WinRM for Lateral Movement

Execution

Attacker established a PSRemoting session from a compromised system 10.0.0.2 to a domain controller dc-mantvydasat 10.0.0.6:

New-PSSession -ComputerName dc-mantvydas -Credential (Get-Credential)
Enter-PSSession 1

On the host that initiated the connection, a 4648logon attempt is logged

PreviousLateral Movement in ADNextSSH Tunneling / Port Forwarding

Last updated