Red Teaming — AD (Lateral movement with PSRemoting)
Lateral movement is a term used in cybersecurity to describe the movement of an attacker within a network after gaining initial access. In Active Directory (AD) environments, lateral movement can occur when an attacker gains access to one system or credential and uses it to move laterally to other systems or accounts within the same network.
One tool that attackers commonly use for lateral movement in AD environments is PS Remote. PS Remote is a PowerShell script that allows an attacker to remotely execute PowerShell commands on a target system. By exploiting vulnerabilities in AD, an attacker can gain access to a system with weak security controls, such as a system with an outdated operating system or a system with weak credentials.
Once an attacker has gained access to a system, they can use PS Remote to execute PowerShell commands on that system. This allows them to move laterally within the network, executing commands on other systems without needing to directly log in to those systems. For example, an attacker can use PS Remote to execute commands to create a new user account or change the password of an existing account on another system within the network.
To prevent lateral movement in AD environments, organizations can take several steps. One is to implement strong access controls, such as two-factor authentication and strict password policies. Another is to regularly monitor and analyze network traffic for suspicious activity. Additionally, organizations can implement endpoint detection and response (EDR) solutions that can detect and respond to malicious activity in real-time.
How to enable PS Remoting:
- Use GPO to enable it on all the computers in the domain
- for that, you need to start the remoting service and all the inbound traffic through the firewall.
- use gpupdate /force to update all the domain computers
For a clear explanation, follow the below link:
Testing if PS Remoting is enabled
Use the below command to check if the port is enabled,
Test-NetConnection -Port 5985 -ComputerName Computer2 
AD Environment
The following going to be my test environment.
The forest root (MARVEL.local) has one dc and one computer. The child domain (ALPHA.MARVEL.local) had one dc and two computers.
MARVEL.local
- DC — Win 2019
- Computer — win 10 (computer1$)
ALPHA.MARVEL.local
- DC — Win 2016
- Computer — win 10 (computer2$, computer3$)
We also have a few users on each domain.
Commands
- PSSession
PS> $s = New-PSSession -ComputerName Server01
PS> Enter-PSSession -Session $s
[Server01]: PS>“New-PSSession” is a PowerShell cmdlet used to create a new PowerShell session. PowerShell is a command-line shell and scripting language designed for system administration and automation tasks in Windows operating systems. The New-PSSession cmdlet establishes a persistent connection between the local computer and a remote computer or runspace. This connection allows the user to execute PowerShell commands on the remote computer or runspace as if they were running them locally.
“Enter-PSSession” is a PowerShell command that allows you to establish an interactive session with a remote computer. The command enables you to remotely manage a Windows-based computer using PowerShell commands, as if you were sitting in front of the remote computer. When you run the “Enter-PSSession” command, you need to specify the name or IP address of the remote computer you want to connect to. If you have the appropriate credentials, you will be prompted to enter your username and password to authenticate and establish a remote session.
2. Invoke-Command
Invoke-Command -ComputerName <ComputerName> -ScriptBlock {<Command or Script>}“Invoke-Command” is a command in PowerShell that allows you to run commands or scripts on one or more remote computers. It allows you to execute PowerShell commands or scripts remotely, without having to log in to each machine individually.
Hay Yay!!!
Please give me a clap if you found it to be useful and follow me to get more security knowledge.
Conclusion
In summary, lateral movement in AD environments can be a significant threat to organizations, and tools like PS Remote can be used by attackers to move laterally within a network. To prevent lateral movement, organizations should implement strong security controls and regularly monitor and analyze network traffic for suspicious activity.
