Lateral Movement and Pivoting
Lateral movement is the group of techniques used by attackers to move around a network. Once an attacker has gained access to the first machine of a network, moving is essential for many reasons, including the following: - Reaching our goals as attackers - Bypassing network restrictions in place - Establishing additional points of entry to the network - Creating confusion and avoid detection.
+------------------+
| Psexec |
+------------------+
+------------------+
| WinRM |
+------------------+
+------------------+ +------------------+ +------------------+
| MACHINE 1 | | SSH | | MACHINE 2 |
+------------------+ +------------------+ +------------------+
+------------------+
| RDP |
+------------------+
+------------------+
| VNC |
+------------------+
Spawning Processes Remotely
Psexec
- Ports: 445/TCP (SMB)
- Required Group Memberships: Administrators
winrm - Remote Process Creation
- Ports: 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
- Required Group Memberships: Remote Management Users
cs - Remote Services Creation
- Ports:
- 135/TCP, 49152-65535/TCP (DCE/RPC)
- 445/TCP (RPC over SMB Named Pipes)
- 139/TCP (RPC over SMB Named Pipes)
- Required Group Memberships: Administrators