This chapter covers lateral movement techniques, a critical phase in penetration testing where an attacker expands access from an initial foothold to other systems within a network. Lateral movement is heavily tested on the PT0-002 exam, appearing in roughly 15-20% of questions related to Attacks and Exploits (Objective 3.4). Understanding these techniques is essential for simulating real-world attacks and for developing effective detection and mitigation strategies. We will dissect the most common methods, including Pass-the-Hash, Pass-the-Ticket, PSExec, WMI, WinRM, SSH tunneling, and DCOM, with a focus on their mechanics, required conditions, and detection signatures.
Jump to a section
Imagine a team of bank robbers who first breach the bank by picking a single lock on a side door (initial compromise). Once inside, they are in the lobby (first foothold). They cannot just walk into the vault; they must move through the bank without setting off alarms. They first find a janitor's keycard (pass the hash) to access the staff hallway. In the hallway, they discover a manager's office with a computer logged into the internal network (pass the ticket). Using that session, they access the security camera system (remote desktop) to see guard patrols. They then find a server room with a backup terminal (PSExec) that has direct access to the vault's electronic lock. Each step uses legitimate credentials or tools to avoid triggering alarms. If they had tried to break down doors, the silent alarm would have been tripped. The robbers must maintain persistence (hide in a closet) and clean up traces (wipe logs) before escaping. This mirrors how an attacker uses stolen credentials and built-in Windows tools to hop from machine to machine, escalating privileges and accessing sensitive data, all while appearing as normal administrative activity.
What is Lateral Movement and Why Does It Exist?
Lateral movement refers to techniques used by attackers to move from one compromised host to other hosts within the same network. After initial compromise (e.g., through phishing or exploiting a vulnerability), the attacker often has limited access. Lateral movement allows the attacker to pivot, escalate privileges, and reach high-value targets such as domain controllers, databases, or file servers. It is a cornerstone of advanced persistent threats (APTs) and ransomware attacks.
On the PT0-002 exam, you must understand not only how each technique works but also when it is applicable, what tools implement it, and how to detect/prevent it. The exam will present scenarios where you must choose the correct technique based on the attacker's current access and the target environment.
Pass-the-Hash (PtH)
Mechanism: Pass-the-Hash (PtH) is an attack that uses the NTLM hash of a user's password to authenticate to remote systems without knowing the plaintext password. It exploits the NTLM challenge-response authentication protocol where the hash itself is the secret.
Step-by-step:
1. Attacker obtains the NTLM hash of a user account (e.g., from LSASS memory dump, SAM database, or a credential dumping tool like Mimikatz).
2. Attacker initiates an SMB connection to a target machine using tools like psexec, wmiexec, or smbexec.
3. During NTLM authentication, the target sends a random 8-byte challenge.
4. The attacker's tool computes the NTLM response by encrypting the challenge with the stolen hash (without needing the plaintext password).
5. The target verifies the response against the stored hash and grants access if valid.
Key Requirements: - The target must be using NTLM authentication (Kerberos is not vulnerable to PtH). - The attacker must have administrative privileges on the source machine to extract hashes. - The stolen hash must belong to a user who has local admin rights on the target (or the target must have the same local admin password).
Tools: Mimikatz, Metasploit psexec module, Impacket's psexec.py, CrackMapExec.
Detection: Windows Event ID 4624 (logon type 3) with unusual source IPs, multiple failed logons followed by a success, or use of NTLMv1 (older, weaker).
Pass-the-Ticket (PtT)
Mechanism: Pass-the-Ticket (PtT) is a Kerberos-based attack where the attacker steals a Kerberos Ticket Granting Ticket (TGT) or service ticket from a compromised host and uses it to authenticate to other services as that user.
Step-by-step:
1. Attacker extracts Kerberos tickets from LSASS memory using Mimikatz (e.g., sekurlsa::tickets /export).
2. The attacker injects the ticket into their own Kerberos cache on a different machine using Mimikatz kerberos::ptt.
3. The injected ticket is then used transparently by the Windows SSPI for authentication to services such as SMB, HTTP, or LDAP.
Key Requirements: - The attacker must have administrative access to the source machine to extract tickets. - The ticket must still be valid (not expired). TGTs typically have a 10-hour lifetime by default. - The target service must trust the domain controller that issued the ticket.
Tools: Mimikatz, Rubeus, Impacket's ticketer.py.
Detection: Event ID 4768 (TGT request) and 4769 (service ticket request) with anomalous patterns, or use of unusual encryption types.
PSExec
Mechanism: PSExec is a legitimate Sysinternals tool that allows remote command execution via SMB. It works by:
1. Connecting to the ADMIN$ share on the target.
2. Uploading a service binary (e.g., PSEXESVC.exe) to the target's admin share.
3. Using the Windows Service Control Manager (SCM) to create and start a service that runs the uploaded binary.
4. The binary creates a named pipe that the client uses to send commands and receive output.
5. After execution, PSExec stops and deletes the service and binary (unless -s flag is used).
Key Requirements: - The attacker must have administrative credentials (or a hash for PtH) to access ADMIN$. - The target must have the SMB service running (port 445). - Windows Firewall must allow inbound SMB connections.
Detection: Event ID 7045 (service creation) for a service named PSEXESVC or similar, network traffic to ADMIN$ share, and file creation of PSEXESVC.exe.
Windows Management Instrumentation (WMI)
Mechanism: WMI allows remote management of Windows systems. Attackers can use WMI to execute commands, gather information, or deploy malware without writing files to disk (fileless).
Common WMI lateral movement methods:
- wmic /node:TARGET process call create "command" - Executes a process remotely.
- Using WMI event subscriptions to trigger execution upon certain events (e.g., system startup).
- Using Invoke-WmiMethod in PowerShell.
Key Requirements: - Administrative credentials (local admin or domain admin). - DCOM (port 135) and RPC endpoints (dynamic high ports) must be accessible. - Windows Firewall must allow WMI traffic.
Detection: Event ID 4688 (process creation) with WMIC.exe or powershell.exe as parent, network connections to port 135, and WMI activity logs (Event ID 5861).
Windows Remote Management (WinRM)
Mechanism: WinRM is Microsoft's implementation of WS-Management, typically used for PowerShell Remoting. It uses HTTP (port 5985) or HTTPS (port 5986) for encrypted communication.
Common attack methods:
- Enter-PSSession -ComputerName TARGET - Interactive PowerShell session.
- Invoke-Command -ComputerName TARGET -ScriptBlock { ... } - Run commands remotely.
- Using winrs command-line tool.
Key Requirements: - The target must have WinRM enabled (default on Server 2012+). - The attacker must have administrative credentials. - The target must be in the same trust relationship (domain-joined or same workgroup with proper configuration).
Detection: Event ID 4104 (PowerShell script block logging), 400 (engine state), and network connections to ports 5985/5986.
SSH Tunneling
Mechanism: SSH tunneling allows an attacker to forward ports from a compromised host to another host, effectively creating a encrypted tunnel through which other tools can communicate.
Common types:
- Local port forwarding: ssh -L local_port:target_host:target_port user@jumpbox - Forwards a local port to a target through the jump box.
- Remote port forwarding: ssh -R remote_port:local_host:local_port user@jumpbox - Allows the jump box to access a service on the attacker's machine.
- Dynamic port forwarding: ssh -D local_port user@jumpbox - Creates a SOCKS proxy.
Key Requirements: - SSH access to a compromised host that can reach the target. - The target may be isolated from the attacker's machine but reachable from the jump box.
Detection: Unusual SSH connections, especially to non-standard ports, or SSH traffic to known malicious IPs.
Distributed Component Object Model (DCOM)
Mechanism: DCOM allows software components to communicate remotely. Attackers can abuse DCOM to execute code on remote machines via applications like Microsoft Office (Excel, Word) or MMC.
Example: Using [activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Application", "TARGET")) to instantiate Excel remotely and execute VBA macros.
Key Requirements: - The target must have the vulnerable application (e.g., Excel) installed. - The attacker must have administrative credentials. - DCOM must be enabled (default on Windows).
Detection: Event ID 1000 (application error) or unusual COM object instantiation logs.
Comparison of Techniques
PtH vs PtT: PtH works with NTLM, PtT with Kerberos. PtT is more stealthy as it uses valid tickets.
PSExec vs WMI: PSExec writes a binary to disk (more detectable), while WMI can be fileless.
WinRM vs SSH: WinRM is native to Windows, SSH requires additional software (OpenSSH) but is cross-platform.
DCOM vs Others: DCOM relies on specific applications, making it less general but very effective against certain targets.
Tools and Commands
Mimikatz: sekurlsa::logonpasswords (dump hashes), sekurlsa::tickets /export (dump tickets), kerberos::ptt (inject ticket).
Impacket: psexec.py, wmiexec.py, smbexec.py, ticketer.py.
CrackMapExec: cme smb TARGET -u USER -H HASH -x COMMAND (PtH execution).
PowerShell: Invoke-WmiMethod, Invoke-Command, Enter-PSSession.
Detection and Mitigation
Network segmentation: Limit lateral movement by isolating critical systems.
Least privilege: Use LAPS for local admin passwords, restrict domain admin usage.
Credential Guard: Protects against hash dumping.
Logging: Enable advanced audit policies (Audit Logon, Audit Process Creation) and use SIEM.
Endpoint Detection and Response (EDR): Monitor for suspicious tool execution (Mimikatz, PSExec).
Initial Compromise and Reconnaissance
The attacker gains initial access to a host (e.g., via phishing). They then perform reconnaissance to identify other hosts, users, and services. Tools like BloodHound map Active Directory relationships. The attacker collects credentials from LSASS memory using Mimikatz or from SAM registry hive. They also gather network information to plan lateral movement paths.
Credential Extraction and Cracking
Using tools like Mimikatz, the attacker extracts NTLM hashes, Kerberos tickets, and plaintext passwords from memory. If only hashes are obtained, they may attempt offline cracking (e.g., using hashcat) to obtain plaintext passwords. The attacker may also use pass-the-hash directly without cracking. They prioritize high-value accounts (domain admins, service accounts).
Selecting Lateral Movement Technique
Based on the target environment, the attacker chooses the appropriate technique. If SMB is open and NTLM is used, PtH with PSExec is common. For Kerberos environments, PtT is stealthier. If only WinRM is available, they use PowerShell remoting. For Linux targets, SSH tunneling is used. The attacker considers firewall rules and endpoint protection.
Authenticate and Execute on Target
The attacker uses the chosen technique to authenticate to the target. For PtH, they use tools like `psexec.py -hashes LM:NTML USER@TARGET`. For PtT, they inject the ticket and then access SMB shares. The attacker executes commands to download additional tools, establish persistence (e.g., scheduled tasks), or extract data.
Clean Up and Cover Tracks
After successful lateral movement, the attacker cleans up artifacts: they delete uploaded binaries (e.g., PSExec service), clear event logs (e.g., using `wevtutil cl`), and remove scheduled tasks. They may also disable logging or tamper with audit policies. This step is crucial to avoid detection and maintain access.
In a typical enterprise penetration test, lateral movement is the bridge between initial access and domain dominance. For example, during a red team engagement for a financial institution, the team first phishes a user in the HR department. After gaining a foothold, they use BloodHound to identify that the HR user is a local admin on a file server. Using PtH, they pivot to the file server and discover a service account with domain admin privileges stored in a script. They then use PSExec to deploy Cobalt Strike beacon on the domain controller.
Another common scenario is in healthcare networks where legacy systems still use NTLM. An attacker compromises a workstation and uses Mimikatz to extract local admin hashes. Since many workstations share the same local admin password (not managed by LAPS), the attacker can use PtH to move laterally across dozens of machines in minutes, eventually reaching the EHR database server.
Cloud environments also require lateral movement. After compromising a jump box in AWS, an attacker uses SSH tunneling to access internal RDS databases that are not publicly exposed. They set up a local port forward to connect to the database from their local machine, bypassing network ACLs.
Misconfigurations that enable lateral movement include: lack of network segmentation (flat networks), excessive local admin privileges, default local admin passwords, no Credential Guard, and over-reliance on NTLM. The most common mistake is assuming that strong passwords alone prevent PtH—they do not, because the hash is the secret.
Performance considerations: PtH and PtT are fast but generate distinct network patterns. PSExec writes files, which can trigger AV. WMI and WinRM are slower but stealthier. SSH tunneling adds encryption overhead but is necessary for crossing network boundaries.
When misconfigured, lateral movement can be blocked entirely. For example, if SMB is blocked on the firewall, PSExec and PtH over SMB fail. If Kerberos is enforced with constrained delegation, PtT may not work without specific tickets. Understanding these nuances is critical for both attackers and defenders.
The PT0-002 exam (Objective 3.4) tests your ability to select the appropriate lateral movement technique given a scenario. You must know: (1) Which techniques require NTLM vs Kerberos, (2) Which tools implement each technique, (3) The ports and protocols used, (4) How to detect each technique.
Common wrong answers: - Choosing 'Pass-the-Hash' when the scenario mentions Kerberos-only environment (PtH only works with NTLM). - Choosing 'PSExec' when the target is Linux (PSExec is Windows-only). - Thinking that PtH requires plaintext passwords (it does not; the hash is sufficient). - Confusing WMI with WinRM: WMI uses DCOM (port 135), WinRM uses HTTP/HTTPS (5985/5986).
Specific numbers and terms: - NTLM hash length: 32 hex characters (128 bits for NT hash). - Default Kerberos TGT lifetime: 10 hours. - Default local admin password: often blank or 'Password123' in labs. - Ports: SMB (445), RPC (135), WinRM (5985/5986), SSH (22).
Edge cases: - PtH works even if the account is disabled (the hash is still valid until password change). - PtT requires the target to trust the DC that issued the ticket; cross-forest trusts can be exploited. - PSExec can be detected by Event ID 7045; attackers often rename the service binary to avoid detection.
How to eliminate wrong answers: - If the scenario says 'NTLM authentication is disabled', eliminate PtH and any SMB-based technique. - If the target is a Linux server, eliminate all Windows-specific techniques (PSExec, WMI, WinRM). - If the attacker has a plaintext password, consider using WMI or WinRM instead of PtH (though PtH still works). - Look for clues about firewall rules: if port 445 is blocked, PSExec is not possible.
Focus on understanding the underlying authentication protocol (NTLM vs Kerberos) and the required ports. The exam expects you to reason about what is possible in a given network configuration.
Lateral movement is the process of moving from one compromised host to another within a network.
Pass-the-Hash uses NTLM hashes to authenticate without the plaintext password.
Pass-the-Ticket uses stolen Kerberos tickets to impersonate a user.
PSExec works by creating a service on the target via SMB.
WMI and WinRM allow remote command execution without writing files to disk.
SSH tunneling can bypass firewalls by forwarding ports through a compromised host.
Detection focuses on unusual authentication patterns, service creation events, and network connections to management ports.
These come up on the exam all the time. Here's how to tell them apart.
Pass-the-Hash (PtH)
Works with NTLM authentication only.
Requires the NTLM hash of the target user.
Typically uses SMB (port 445) or other NTLM-enabled protocols.
Can be used even if Kerberos is disabled.
Tools: Mimikatz, Impacket, CrackMapExec.
Pass-the-Ticket (PtT)
Works with Kerberos authentication only.
Requires a valid Kerberos ticket (TGT or ST).
Uses any Kerberos-enabled protocol (SMB, HTTP, LDAP).
Requires the target to trust the issuing Domain Controller.
Tools: Mimikatz, Rubeus, Impacket.
Mistake
Pass-the-Hash requires administrative privileges on the target.
Correct
PtH only requires that the stolen hash belongs to a user with local admin rights on the target. The attacker does not need admin rights on the target beforehand; they just need the hash of an admin account.
Mistake
Pass-the-Ticket only works with TGTs.
Correct
PtT can also use service tickets (STs). An attacker can steal a service ticket for a specific service and use it to access that service without needing the TGT.
Mistake
PSExec is always detected by antivirus.
Correct
PSExec is a legitimate Microsoft tool and is often whitelisted. Attackers can rename the binary or use alternative implementations like Impacket's psexec.py to avoid signature-based detection.
Mistake
WMI lateral movement always writes files to disk.
Correct
WMI can execute commands without writing files to disk (fileless). For example, using `wmic process call create` spawns a process directly without dropping a binary.
Mistake
SSH tunneling is only for Linux environments.
Correct
Windows 10 and Server 2019 include OpenSSH client and server. SSH tunneling works on Windows as well, allowing lateral movement between Windows systems.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Pass-the-Hash (PtH) uses the NTLM hash of a user's password to authenticate to remote systems that use NTLM. Pass-the-Ticket (PtT) uses a Kerberos ticket (TGT or service ticket) to authenticate to services that use Kerberos. PtH does not require the plaintext password; the hash is sufficient. PtT requires a valid ticket that has not expired. PtH works over SMB and other NTLM protocols, while PtT works over any Kerberos-enabled protocol.
No, PtH is specific to Windows NTLM authentication. Linux systems typically use SSH keys or Kerberos (if integrated with AD). However, if a Linux system is configured to use NTLM authentication (e.g., via Samba for file sharing), PtH could work against Samba services. In general, for Linux lateral movement, attackers use SSH key theft or password cracking.
PSExec uses SMB over port 445. It connects to the ADMIN$ share (C:\Windows) and creates a service. It also uses a named pipe, which is established over SMB. If SMB is blocked, PSExec will not work.
Detection includes monitoring Event ID 4688 (process creation) with parent process `wmiprvse.exe` or `WmiPrvSE.exe`. Also, network connections to port 135 (RPC) and subsequent dynamic ports. WMI activity logs (Event ID 5861) can show WMI event filter and consumer creation. Use Sysmon to log process creation with command-line arguments.
The default TGT lifetime in Windows Active Directory is 10 hours. This is configurable via Group Policy. Service tickets have a default lifetime of 1 hour. Attackers must use the ticket before it expires; they can also request new tickets if they have the TGT.
PowerShell remoting (WinRM) can use either NTLM or Kerberos. If NTLM is used, you can pass the hash by using tools like Invoke-Command with -Authentication Negotiate and providing the hash via a PSCredential object. However, typical PtH tools like Impacket's psexec.py use SMB, not WinRM.
WMI uses DCOM (port 135) and RPC dynamic ports. WinRM uses HTTP (port 5985) or HTTPS (port 5986). WMI is older and more verbose; WinRM is the modern replacement and is required for PowerShell remoting. Both require administrative credentials. WMI can execute commands without writing files, while WinRM typically uses PowerShell.
You've just covered Lateral Movement Techniques — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?