A penetration tester has gained a foothold on a Windows server and wants to move laterally to a domain controller. The tester has access to a service account that is a member of the 'Remote Management Users' group on the domain controller. Which of the following tools would be MOST appropriate for lateral movement in this scenario?
Trap 1: PsExec
PsExec requires administrative privileges and file sharing, which may not be available with the given group membership.
Trap 2: MS16-075 exploit
MS16-075 is a local privilege escalation exploit (token impersonation), not a lateral movement tool.
Trap 3: BloodHound
BloodHound is a reconnaissance tool for mapping Active Directory relationships, not for direct lateral movement execution.
- A
PsExec
Why wrong: PsExec requires administrative privileges and file sharing, which may not be available with the given group membership.
- B
MS16-075 exploit
Why wrong: MS16-075 is a local privilege escalation exploit (token impersonation), not a lateral movement tool.
- C
WinRM
Correct. WinRM is designed for remote management and the account's group membership makes it usable for lateral movement.
- D
BloodHound
Why wrong: BloodHound is a reconnaissance tool for mapping Active Directory relationships, not for direct lateral movement execution.