Lateral Movement

WinRM for Lateral Movement

WinRS for Lateral Movement

WMI for Lateral Movement

RDP Hijacking for Lateral Movement with tscon

Shared Webroot

Lateral Movement via DCOM

WMI + MSI Lateral Movement

Lateral Movement via Service Configuration Manager

Lateral Movement via SMB Relaying

WMI + NewScheduledTaskAction Lateral Movement

WMI + PowerShell Desired State Configuration Lateral Movement

Simple TCP Relaying with NetCat

Empire Shells with NetNLTMv2 Relaying

Lateral Movement with Psexec

From Beacon to Interactive RDP Session

SSH Tunnelling / Port Forwarding

Lateral Movement via WMI Event Subscription

Lateral Movement via DLL Hijacking

Lateral Movement over headless RDP with SharpRDP

Man-in-the-Browser via Chrome Extension

ShadowMove: Lateral Movement by Duplicating Existing Sockets