⚠️ Authorised Lab Use Only: Lateral movement techniques require administrative access on target systems. Practice exclusively in isolated lab environments (HackTheBox, TryHackMe, your own AD lab) or during explicitly authorised penetration tests with signed scope agreements. Unauthorised lateral movement on any network is a serious criminal offence.
Lateral movement techniques 2026 — this is where you take everything BloodHound showed you on Day 27 and execute it. The attack path is drawn. The relationships are mapped. Today you traverse every edge on that graph using four different execution techniques: PSExec, WMI, WinRM, and DCOM. Each one uses different ports, creates different log entries, and leaves a different footprint. Knowing when to use which technique — and why — is the skill that separates a penetration tester from someone who just runs Metasploit and hopes.
🎯 What You’ll Master in Day 28
Understand the four primary lateral movement execution techniques and their tradeoffs
Execute PSExec, WMI, WinRM, and DCOM-based movement using Impacket
Use Evil-WinRM for interactive PowerShell sessions from Kali
Know which Windows Event IDs each technique generates for detection awareness
Build the full credential dump → lateral move → next-hop pipeline
⏱️ 55 min read · 3 hands-on exercises
📊 Where are you with AD lateral movement?
✅ This guide bridges the gap between BloodHound’s attack path theory and actual execution. If you completed Day 26 (Pass the Hash) and Day 27 (BloodHound), today’s practical exercises make the full AD attack chain real.
📋 What You’ll Master — Lateral Movement Techniques 2026
Lateral Movement Overview — Traversing BloodHound Attack Path Edges
Each edge type in a BloodHound graph corresponds to one or more specific lateral movement techniques. The AdminTo edge — your user has local admin on a machine — can be traversed using PSExec, WMI, WinRM, or DCOM depending on which ports are open and which footprint is acceptable. The HasSession edge — an interesting user is logged on to a machine you have admin on — requires credential dumping before the lateral move.
securityelites.com
Lateral Movement Techniques — Ports, Footprint and Detection Risk
PSExec
Port 445
HIGH noise
Creates service (Event 7045) — detected by most EDR
WMI Exec
Port 135+
MED noise
No new service — WMI events logged (4688, 4648)
WinRM
Port 5985
MED noise
Full PowerShell session — WSMan events logged
DCOM
Port 135
LOW noise
Least footprint — leverages legitimate COM objects
📸 Lateral movement technique comparison — four methods, each with different port requirements, noise levels, and detection signatures. The right choice depends on your operational requirements.
🧠 EXERCISE 1 — THINK LIKE A HACKER (10 MIN · NO TOOLS)
Choose the Right Lateral Movement Technique for Three Engagement Scenarios
⏱️ Time: 10 minutes · No tools required
For each scenario, choose the best lateral movement technique
and explain your reasoning:
SCENARIO A: Internal penetration test
– Client has a SOC monitoring Windows Event logs via Splunk
– EDR (CrowdStrike) deployed on all endpoints
– You have local admin credentials on a workstation
– You need to move to a file server (ports 445, 5985 open)
– Detection is being monitored and would alert the client team
– Goal: move with the smallest possible EDR footprint
→ Which technique? Why?
SCENARIO B: Red team engagement
– No monitoring or detection concerns for this phase
– You have NTLM hash (no plaintext password)
– Target has SMB port 445 open
– You need a SYSTEM-level shell for privilege escalation
→ Which Impacket tool and flags?
SCENARIO C: Post-compromise enumeration
– You have valid domain credentials (username + password)
– Target machine has WinRM (port 5985) enabled
– You need to run multiple PowerShell commands interactively
– You are working from Kali Linux
→ Which tool gives you the best interactive experience?
✅ Scenario A: DCOM or WMI — smallest footprint, no service creation, avoids PSExec’s well-known EDR signature. Scenario B: impacket-psexec with -hashes flag — provides SYSTEM shell, hash works without plaintext, SMB port covered. Scenario C: Evil-WinRM — purpose-built for interactive WinRM sessions from Linux, supports tab completion, file transfer, and PowerShell script loading. This decision framework maps directly to how professional red teamers choose techniques during live engagements.
📸 Write your technique selections with reasoning and share in #day-28-lateral on Discord.
PSExec Lateral Movement — SMB-Based Remote SYSTEM Shell
PSExec is the most well-known lateral movement technique and the baseline for understanding all others. Impacket’s implementation uploads a small service binary to the target via SMB, creates a Windows service to execute it, runs your command as SYSTEM, and cleans up afterwards. The result is the most privileged shell possible on a Windows machine — SYSTEM, not just Administrator.
WMI Remote Execution — Stealthy Command Execution Without New Services
WMI (Windows Management Instrumentation) is a built-in Windows management framework that has been present in every Windows version since NT4. Impacket’s wmiexec leverages WMI’s process creation capabilities to execute commands on remote machines without creating any new services — leaving a smaller footprint than PSExec while still providing command execution as Administrator.
# – Uses DCOM/WMI ports (135 + dynamic) not just 445
# – Slightly smaller EDR footprint in practice
WinRM and Evil-WinRM — Interactive PowerShell Sessions From Kali
WinRM (Windows Remote Management) is Microsoft’s implementation of the WS-Management protocol — designed for remote management of Windows machines. Evil-WinRM is a Kali Linux tool that provides a clean interactive interface for WinRM sessions, including PowerShell tab completion, file upload/download, and in-memory script loading. It is the preferred tool for WinRM-based lateral movement from Linux.
EVIL-WINRM — INTERACTIVE LATERAL MOVEMENT FROM KALI
# Load a PowerShell script from Kali into memory (no disk write)
evil-winrm -i TARGET -u USER -p PASS -s /home/kali/ps_scripts/
*Evil-WinRM* PS> Invoke-Mimikatz
🌐 EXERCISE 2 — TRYHACKME (30 MIN)
Practice All Four Lateral Movement Techniques on a TryHackMe AD Lab
⏱️ Time: 30 minutes · Free TryHackMe account
Step 1: Go to tryhackme.com and search for “Lateral Movement and Pivoting”
(free room — covers all major techniques)
Step 2: Deploy the machines and connect via TryHackMe VPN
Step 3: The room provides credentials for a domain user account
Use CrackMapExec to identify which machines accept those creds:
crackmapexec smb 10.200.x.0/24 -u USER -p PASSWORD
Step 4: For each machine showing (Pwn3d!) — try all three tools:
a) impacket-psexec DOMAIN/USER:PASS@TARGET_IP
b) impacket-wmiexec DOMAIN/USER:PASS@TARGET_IP
c) evil-winrm -i TARGET_IP -u USER -p PASS
Step 5: From the shell gained, run secretsdump to get more hashes:
impacket-secretsdump DOMAIN/USER:PASS@TARGET_IP
Step 6: Use the new hashes to attempt lateral movement to the
next machine in the BloodHound path
Step 7: Document:
– Which ports each tool requires
– Which event IDs appeared in the Windows logs (if viewable)
– Which technique gave the best shell experience
✅ What you just learned: The TryHackMe lab makes the full lateral movement cycle concrete — CrackMapExec identifies accessible machines, Impacket provides the shells, secretsdump extracts the next set of credentials, and the cycle continues. This is exactly the workflow used in real internal network penetration tests. The documentation step is important: comparing which technique produced which event IDs builds the detection awareness that makes you a more complete tester.
📸 Screenshot shells from at least two different techniques and share in #day-28-lateral on Discord.
The Credential Dump → Move → Dump Pipeline
FULL LATERAL MOVEMENT PIPELINE — IMPACKET SECRETSDUMP
## PHASE 1: Identify which machines accept your current credentials
Detection Awareness — Event IDs and EDR Signatures Per Technique
Understanding which Windows Event IDs each technique generates is not just defensive knowledge — it informs your red team technique selection and helps you write more accurate pentest reports with specific detection recommendations for clients.
⚡ EXERCISE 3 — KALI TERMINAL (20 MIN)
Execute the Full Credential Dump → Move → Dump Pipeline in Your AD Lab
⏱️ Time: 20 minutes · Kali + AD lab (or TryHackMe machine)
LATERAL MOVEMENT PIPELINE — FULL EXECUTION
# Step 1: Start with known credentials (from previous lab or THM)
crackmapexec smb TARGET_SUBNET -u USER -p PASS –shares
# Step 2: Move to first accessible machine with PSExec
✅ What you just learned: The lateral movement pipeline is a cascading credential harvest — each machine you access potentially holds credentials for other machines. The CrackMapExec sweep after each new hash set is what operationalises this cascade efficiently. In professional penetration tests, a clear chain-of-access diagram showing Initial Foothold → Machine 1 → Credentials → Machine 2 → Domain Admin, with the specific technique used at each hop, constitutes the core of your Active Directory engagement report.
📸 Screenshot your terminal showing successful movement across two machines and share in #day-28-lateral on Discord. Tag #lateralmovement2026
🧠 QUICK CHECK — Day 28
You have local administrator credentials on WORKST01. You want to move laterally to FILESERVER with the smallest possible EDR footprint. The target has ports 445, 5985, and 135 all open. Which Impacket tool would you choose and why?
📋 Commands Used Today — Day 28 Reference Card
crackmapexec smb SUBNET -u USER -p PASSIdentify which machines accept credentials — Pwn3d! = local admin
impacket-psexec DOMAIN/USER:PASS@TARGETPSExec lateral movement — SYSTEM shell via SMB service creation
impacket-wmiexec DOMAIN/USER:PASS@TARGETWMI exec — Administrator shell, no service created, quieter
evil-winrm -i TARGET -u USER -p PASSInteractive PowerShell over WinRM port 5985
evil-winrm -i TARGET -u USER -H NTHASHEvil-WinRM with Pass the Hash — no plaintext needed
impacket-secretsdump DOMAIN/USER:PASS@TARGETRemote credential dump — extracts SAM hashes without interactive shell
crackmapexec smb SUBNET -u USER -H :HASHTest new hash across full subnet — feeds next lateral movement hop
🏆 Mark Day 28 as Complete
You now have the execution toolkit to traverse every AdminTo and HasSession edge BloodHound identifies. The cascade — credential dump, CME sweep, lateral move, credential dump — is the heartbeat of every Active Directory compromise in professional penetration testing.
❓ Frequently Asked Questions
What is lateral movement in penetration testing?
Lateral movement is using initial access on one compromised system to gain access to additional systems within the same network. In Active Directory, this involves using stolen credentials or authentication tokens to authenticate to other machines, progressively moving toward high-value targets like Domain Controllers.
What is the difference between PSExec, WMI, and WinRM for lateral movement?
PSExec creates a remote service (Event 7045) and provides SYSTEM shell via SMB — noisiest but most privileged. WMI executes via the built-in WMI framework without a new service — quieter, Administrator-level. WinRM provides a full interactive PowerShell session over port 5985 — useful for complex operations. DCOM is the quietest option leveraging legitimate COM objects.
What ports must be open for each lateral movement technique?
PSExec requires port 445 (SMB). WMI requires port 135 (DCOM endpoint mapper) plus dynamic high ports. WinRM requires port 5985 (HTTP) or 5986 (HTTPS). Verify target ports before attempting with: nmap -p 445,5985,135 TARGET.
Do I need local administrator rights for lateral movement?
For most techniques (PSExec, WMI, WinRM, PtH), yes — local administrator rights or Domain Admin on the target are required. Standard domain users cannot authenticate to remote services with these techniques unless specific group memberships or ACL rights (revealed by BloodHound) grant access.
How do defenders detect lateral movement?
Key Windows Event IDs: 4648 (explicit credential use), 4624 Type 3 (network logon), 7045 (new service — PSExec indicator), 4688 (new process). SIEM rules alert on one account hitting multiple hosts rapidly. Modern solutions like Microsoft Defender for Identity specifically model lateral movement patterns.
What comes after lateral movement in this course?
Day 29 covers Data Exfiltration Techniques — moving collected data out through DNS tunneling, HTTPS channels, and living-off-the-land built-in Windows tools. After the access phase covered today, Day 29 addresses collection and exfiltration to complete the full attack lifecycle.
← Previous
Day 27: BloodHound Tutorial 2026
Next →
Day 29: Data Exfiltration Techniques 2026
📚 Further Reading
BloodHound Tutorial 2026— Day 27 covers BloodHound attack path mapping — the analytical foundation that determines which machines to target and which lateral movement technique to use at each hop.
Pass the Hash & Pass the Ticket 2026— Day 26 covers NTLM hash and Kerberos ticket reuse — the credential material that powers every Impacket lateral movement command covered today.
100-Day Ethical Hacking Course— The complete course hub with all Active Directory attack days indexed sequentially from enumeration through domain compromise and post-exploitation.
MITRE ATT&CK — Lateral Movement— The definitive MITRE ATT&CK Lateral Movement tactic page listing all known sub-techniques including PSExec (T1021.002), WMI (T1047), and WinRM (T1021.006) with real-world procedure examples.
Impacket GitHub Repository— The official Impacket source and documentation covering all tools including psexec, wmiexec, smbexec, secretsdump, and the full AD attack toolkit with usage examples.
ME
Mr Elite
Owner, SecurityElites.com
The moment I understood lateral movement was not on a lab machine — it was on a real engagement where I had a single low-privileged domain account that BloodHound showed was three hops from Domain Admin. First hop: my account had local admin on a workstation (AdminTo edge). I used wmiexec to get a shell there with no service creation. Second hop: secretsdump revealed a service account logged into that workstation with AdminTo rights on the file server. Third hop: the service account had a stale DCSync permission on the Domain Controller from a backup job configuration three years old. Total time from foothold to Domain Admin: 22 minutes. BloodHound drew the map. Lateral movement executed it. The two tools are inseparable in AD penetration testing.
Leave a Reply