Lateral movement

Remote powershell session

Stateless

PS C:\Users\Administrator> Enter-PSSession -ComputerName WIN10RAMO.acero.local
[WIN10RAMO.acero.local]: PS C:\Users\Administrator\Documents> exit

Stateful

PS C:\Users\Administrator> $sess = New-PSSession -ComputerName WIN10RAMO.acero.local
PS C:\Users\Administrator> $sess

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
  5 Session5        WIN10RAMO.ac... RemoteMachine   Opened        Microsoft.PowerShell     Available

(Bulk) Remote Command Execution

PS C:\Users\Administrator> Invoke-Command -ComputerName WIN10RAMO.acero.local -ScriptBlock{whoami}
acero\administrator
PS C:\Users\Administrator> Invoke-Command -ComputerName WIN10RAMO.acero.local -ScriptBlock{whoami;hostname}
acero\administrator
win10ramo

Get-Content is cmdlet for passing a list of server to the command:

PS C:\Users\Administrator> echo "WIN10RAMO.acero.local" > list

PS C:\Users\Administrator> Invoke-Command -ComputerName (Get-Content C:\Users\Administrator\list.txt) -ScriptBlock{whoami;hostname}
acero\administrator
win10ramo

Execute PowerShell Script:

PS C:\Users\Administrator> Invoke-Command -ComputerName (Get-Content C:\Users\Administrator\list.txt) -FilePath C:\Users\Administrator\whoami.ps1
acero\administrator
win10ramo

Execute PowerShell Script in a specific Session:

PS C:\Users\Administrator> Invoke-Command -FilePath C:\Users\Administrator\whoami.ps1 -Session $sess
acero\administrator
win10ramo

Disable Windows Defender (Windows Server 2016)

Set-MpPreference -DisableRealtimeMonitoring $true

PreviousDomain EnumerationNextAV Evasion

Last updated