| skipped 13 lines |
| 14 | 14 | | This module run a wmic /node:[ip] command in order to launch commands on a remote windows system. |
| 15 | 15 | | This will result in a lateral movement if shared credentials are known. |
| 16 | 16 | | |
| 17 | | - | Note that if you use local users credentials you should ensure that, on the target server, the feature |
| 18 | | - | "LocalAccountTokenFilterPolicy" is disabled. |
| | 17 | + | Note that if you use local admin credentials you should ensure that, on the target server, the feature |
| | 18 | + | "LocalAccountTokenFilterPolicy" is disabled. (except for builtin Administrator) |
| 19 | 19 | | To disable that you need to add the following regkey with the value of 1: |
| 20 | 20 | | |
| 21 | 21 | | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy |
| skipped 2 lines |
| 24 | 24 | | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f |
| 25 | 25 | | |
| 26 | 26 | | If you use domain users for the lateral movement, no restrictions to the process token will be applied. |
| 27 | | - | Remember to always specify the domain in the username field. If you use a local account use |
| | 27 | + | Remember to always specify the domain in the username field. If you use a local account use the machine name as the domain. |
| 28 | 28 | | |
| 29 | 29 | | This module uses WMI builtin features wmi and doesn't need additional files to be droppend on the target |
| 30 | 30 | | server. |
| skipped 103 lines |
antonioCoco
committed
3 years ago
1 parent b234d3b0