Lateral Movement and Pivoting TryHackMe

Overview

This room covers how attackers move through an environment after gaining an initial foothold. It focuses on common lateral movement techniques, remote process execution, using alternative authentication material, and leveraging compromised hosts as pivots to reach deeper network segments.

Core idea: compromise is rarely the end of the attack. Once inside, the real work is moving laterally, extracting better access, and using new footholds to reach systems that matter.

1) What Lateral Movement Is

Lateral movement is the set of techniques used to move from one compromised host to others in the same network.

reach final goals such as sensitive servers or repositories,
bypass network segmentation or local restrictions,
establish more durable access points,
blend into normal user or admin behaviour.

The room presents this as a cycle: compromise, elevate, extract credentials, move, then repeat.

2) Why Pivoting Matters

A compromised host is often useful not because it is valuable itself, but because it can reach systems you cannot.

A low-value workstation may still see internal services your attacker box cannot.
A developer workstation might have access to code repositories or build systems.
An internal admin host may expose management protocols blocked elsewhere.

Operational point: a quieter path through a plausible host is usually better than a direct but suspicious path from your first foothold.

3) Admin Accounts and UAC

The room makes an important distinction between local admins and domain admins with local admin rights.

Local admin accounts are often limited remotely by UAC filtering unless they are the built-in Administrator account.
Domain accounts added to local Administrators are usually not subject to the same filtering.
If a technique unexpectedly fails, UAC filtering on a local admin account may be the reason.

4) Remote Process Creation with PsExec

PsExec remains one of the classic Windows lateral movement tools.

Uses SMB on 445/tcp.
Uploads a service binary to ADMIN$.
Creates and starts a service remotely.
Uses named pipes to handle stdin, stdout, and stderr.

The required privilege level is administrative access on the remote host.

5) WinRM and Remote PowerShell

Windows Remote Management is another major lateral movement path.

Uses 5985/tcp for HTTP or 5986/tcp for HTTPS.
winrs.exe can launch a remote shell from command prompt.
Enter-PSSession gives an interactive remote PowerShell session.
Invoke-Command runs script blocks remotely.

This is often cleaner and more admin-like than dropping custom tooling.

6) Creating Services and Scheduled Tasks Remotely

The room also covers native Windows methods to execute code remotely.

sc.exe: create, start, stop, and delete services remotely.
schtasks: create and run scheduled tasks on a remote host.

These methods are powerful because they use built-in OS tooling, but they are often blind in the sense that you do not directly receive command output.

7) Service Payloads and Reverse Shells

The room points out an important operational detail: not every executable behaves correctly as a Windows service.

Regular reverse shell binaries may die immediately when executed as a service.
msfvenom supports exe-service payloads specifically for this use case.
A service-safe payload can then be uploaded through SMB and executed through sc.exe.

8) Runas for Token Context

The room reuses a familiar AD trick: runas /netonly to execute network actions under another credential set.

This is useful when you need remote authentication as another domain user.
It is also helpful when you only have SSH or a limited shell and need a second process with the right access token.
Combined with native Windows tools, it allows credential-backed lateral movement without fully logging on as that user.

9) WMI for Lateral Movement

Windows Management Instrumentation gives another major route for remote execution and service creation.

Can use DCOM over RPC or WinRM-based transport.
Invoke-CimMethod can create processes remotely via Win32_Process.
WMI can also create and manage services.
Legacy wmic.exe can still be used in some environments.

Tradeoff: WMI is flexible and native, but like some service-based methods, it often gives you limited direct output back.

10) Practical Lateral Movement Mindset

This room is about selecting the least noisy route that still gets the job done.

Use credentials that make sense for the target host.
Prefer techniques that blend into expected admin behaviour where possible.
Use pivot hosts to reach new network zones.
Expect to repeat the cycle of access, elevation, credential collection, and movement.

Exam Notes (PT1)

Lateral movement is an iterative process, not a one-time action after compromise.
Key remote execution methods to know are PsExec, WinRM, sc.exe, schtasks, and WMI.
UAC can block some remote admin actions for non-default local administrator accounts.
msfvenom exe-service payloads matter when executing through Windows services.
Pivoting is about using compromised hosts to reach systems or services your attacker box cannot access directly.