Windows LPE -> Priv Util via embeded psexec-> nt-authority\system Eden is a great project which I contributed to made by @marinaiced , using it I managed to escalate from base user permissions to system level.

Pass-the-CCache: Lateral Movement Technique 🔥 Telegram: t.me/hackinarticles ✴ Twitter: x.com/hackinarticles Pass-the-CCache is a stealthy Kerberos-based attack where attackers use exported .ccache tickets to authenticate without passwords or NTLM hashes. ⚡ Key Features 🎟️ Reuse Kerberos tickets (.ccache) 🔐 No need for plaintext creds or hashes 💻 Works with Impacket tools 🚀 Lateral movement via: PsExec, WmiExec, AtExec, SmbExec 🖥️ Remote access using Evil-WinRM ⚡ NetExec support (WinRM & WMI) 🕵️ Low detection footprint 💡 This technique abuses Kerberos authentication by reusing valid tickets, helping attackers pivot inside Active Directory environments silently. 📖 Article: hackingarticles.in/lateral-m… #CyberSecurity #EthicalHacking #RedTeam #Pentesting #ActiveDirectory #Kerberos #LateralMovement #InfoSec

TRC analysis shows The Gentlemen ransomware group exploiting VPN appliances to rapidly encrypt entire networks within hours. Attackers use PsExec for lateral movement and deploy ransomware via Group Policy Objects. Runtime segmentation helps contain such post-compromise activity across network segments. #Ransomware 🔗 Full TRC analysis: aviatrix.ai/threat-research-…

This one have been a pain in the balls 😅 so much things to learn in depth of tickets, psexec, etc, ...

Lateral Movement Containment: Stopping Adversary Spread Through Your Network Lateral movement is where attackers turn a single compromised endpoint into full domain compromise. Once they have initial access, adversaries pivot through your network using legitimate admin tools—PsExec, WMI, RDP, or stolen credentials. Your ability to detect and contain this movement determines whether you're dealing with a single incident or a network-wide breach. Start with correlation. Pull Windows Security Event 4624 (successful logon) across all hosts. Look for Type 3 (network) and Type 10 (remote interactive) logons from unusual source IPs. Cross-reference with process creation events for psexec.exe, wmiprvse.exe spawning suspicious children, or mstsc.exe connections. EDR telemetry showing credential dumping (lsass access) followed by remote authentication is a red flag. Network flow data helps map the attack path—which hosts talked to which, and when. Containment must be immediate and surgical. Reset passwords for all compromised accounts. Disable affected user accounts until you've verified no persistence. If the attacker used a service account, rotation becomes critical. Network segmentation buys you time—VLAN isolation or firewall rules to block lateral traffic between compromised and clean zones. Evidence collection: preserve Windows Security, System, and Application logs from every affected host. Capture EDR process trees, file system timelines, and registry snapshots. Network flow logs (NetFlow, Zeek) show lateral connections. Memory dumps from compromised hosts may reveal injected code or credential material in lsass. Cleanup requires methodical host remediation. Remove scheduled tasks, services, WMI event subscriptions, and registry run keys the attacker planted. Rotate local administrator passwords on every affected machine. This is where LAPS (Local Administrator Password Solution) proves its value—unique, randomized local admin passwords per host prevent attackers from reusing NTLM hashes across your fleet. Lesson learned: lateral movement containment is a race. The faster you identify the scope, isolate affected systems, and rotate credentials, the smaller your blast radius. Implement LAPS before the incident, not after. #IncidentResponse #DFIR

The Gentlemen ransomware combine chiffrement Curve25519/XChaCha20 par fichier et autopropagation : 21 tentatives de mouvement latéral par cible via PsExec, WMI, tâches planifiées et WinRM simultanément. RaaS actif depuis mi-2025, ciblant santé, éducation, finance sur quatre continents. Partenariat BreachForums annoncé : le volume d'affiliés va augmenter. Priorités défensives : tamper protection activée, ASR sur PsExec/WMI, controlled folder access, sauvegardes hors ligne isolées. microsoft.com/en-us/security…