Lateral Movement with Psexec
A very old and noisy lateral movement technique can be performed using psexec by SysInternals.
Let's connect from workstation
ws01to the domain controller
dc01with domain administractor credentials:
.\PsExec.exe -u administrator -p 123456 \\dc01 cmd
The technique is noisy for at least a couple of reasons. Upon code execution, these are some well known artefacts that are left behind which will most likely get you flagged in an environment where SOC is present.
psexesvcservice gets created on the remote system and below shows the process ancestry of your command shell:
psexecis actually running as a service:
Additionally, there is quite a bit of SMB network traffic generated when connecting to a remote machine which could be signatured: