Once you have a beacon on one endpoint, the game becomes expanding across the network to reach the objective and surviving long enough to complete it. This module covers lateral movement techniques, persistence mechanisms, and the operational discipline that keeps you in the environment after detection attempts.

Lateral movement categories

Credential-based: use captured credentials to authenticate to another system
Trust-based: abuse built-in Windows/network trusts (Kerberos delegation, pass-the-hash, pass-the-ticket)
Exploit-based: target a vulnerable service running on another host
Tool-based: ssh, psexec, WMI, WinRM, scheduled tasks, SCCM
Application-layer: VPN access, Citrix, RDP gateways, Jump servers

Credential access — the prerequisite

Most lateral movement starts with credentials or credential material:

Mimikatz / lsass dump: extract cleartext passwords, NTLM hashes, Kerberos tickets from LSASS memory. On modern Windows with Credential Guard, harder — must bypass or compromise before Credential Guard initialized
DCSync: if you have a user with Replicating Directory Changes permission, request any user’s password hash from the domain controller
Kerberoasting: request Kerberos service tickets for accounts with SPNs; crack offline to recover plaintext passwords (covered in the AD track)
AS-REP Roasting: for accounts with “Do not require Kerberos preauthentication” set; extract crackable hash material
Token impersonation: when elevated on a box, impersonate tokens of logged-in users — often lands you SYSTEM or domain admin
Browser saved passwords / SSO cookies: often overlooked; a user’s browser has passwords to internal apps

Pass-the-hash / pass-the-ticket / over-pass-the-hash

# Pass-the-hash with Impacket (from Linux attacker box)
impacket-psexec  -hashes :NTLMHASH  DOMAIN/user@target.corp
impacket-wmiexec -hashes :NTLMHASH  DOMAIN/user@target.corp

# Pass-the-ticket with Rubeus (from Windows beacon)
Rubeus.exe ptt /ticket:BASE64TICKET
# Now your current session has the ticket; authenticate to services as that user

# Over-pass-the-hash: use NTLM hash to request TGT (becomes Kerberos-native)
Rubeus.exe asktgt /user:alice /domain:corp.local /rc4:NTLMHASH /ptt

WMI / WinRM / PsExec — the delivery mechanisms

WMI (via wmiexec or CobaltStrike’s built-in): executes commands remotely via Windows Management Instrumentation. Authentication via NTLM/Kerberos. Logs to Windows Event Log but often missed by default
WinRM / PowerShell Remoting (via psremoting, Invoke-Command): elegant and widely used by admins, which makes it blend. Port 5985/5986
PsExec / psexec-style: drops a service binary; more logs; more detection signals. Noisier
DCOM: MMC20.Application and similar; bypasses some WMI logging
Named pipes + SMB: SMB beacons over named pipes — pivot through a first beacon without direct C2 from the new host

Persistence — surviving the day

Persistence mechanisms by detection cost:

Low-cost to attacker, high detection: Run keys, Startup folder, Scheduled Tasks with obvious names
Medium: Windows Services, WMI event subscriptions, Group Policy Preferences
High-cost, low detection: DLL hijacking of trusted binaries, bootkit-style, BIOS/UEFI (edge case)

Scheduled Task example (detected but survives reboot)

schtasks /create /tn "GoogleUpdateTaskMachineCore" \
  /tr "rundll32.exe \"C:\ProgramData\update.dll\",EntryPoint" \
  /sc onlogon /ru SYSTEM /rl HIGHEST /f

WMI event subscription (harder to detect)

$Filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{
  Name='BackgroundUpdate';
  EventNamespace='root\cimv2';
  QueryLanguage='WQL';
  Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
# Consumer launches payload every 60s of uptime

DLL sideloading (high-effort, high-reward)

Find a signed binary that loads a DLL by absolute name from a writable path. Drop your DLL there. The legitimate process loads it. Your code runs under a trusted process tree.

AD-specific persistence

Golden Ticket: forge TGT with the krbtgt hash. Valid for any user, any duration. Requires krbtgt hash (DC-level compromise)
Silver Ticket: forge a TGS for a specific service. Less powerful but easier — doesn’t contact DC
DSRM backdoor: enable DSRM account for normal login on a DC. Survives a krbtgt rotation
AdminSDHolder backdoor: modify ACLs; every privileged group inherits them hourly
Sidhistory injection: inject historical SIDs into a user’s token — elevated privileges without being a direct group member

Cloud persistence

If objective is cloud tenant:

Service principal backdoor: create a new SP with Owner role on subscription
App registration + secret: register an app, grant yourself Graph permissions, don’t delete it
Guest user: invite external identity you control
Cross-account IAM role (AWS): attach a role the defender’s account doesn’t know trusts your AWS account

Socks proxy — the universal pivot

Most C2 frameworks support reverse socks proxy through a beacon. This lets you run tools from your attacker box through the beacon, as if you were on the victim’s network:

🔐 Intermediate Module · Basic Tier

Continue reading with Basic tier (₹499/month)

You've read 33% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.

99+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

3 more sections locked below

Module 4 · Lateral Movement & Persistence 🔒