A very old and noisy lateral movement technique can be performed using psexec by SysInternals.
Let's connect from workstation
ws01 to the domain controller
dc01 with domain administractor credentials:
attacker@victim.\PsExec.exe -u administrator -p 123456 \\dc01 cmd
The technique is noisy for at least a couple of reasons. Upon code execution, these are some well known artefacts that are left behind which will most likely get you flagged in an environment where SOC is present.
psexesvc service gets created on the remote system and below shows the process ancestry of your command shell:
psexec is actually running as a service:
Additionally, there is quite a bit of SMB network traffic generated when connecting to a remote machine which could be signatured: