{
	"id": "95c0a7e0-9d3d-4b28-bfe9-2aee4cb364cc",
	"created_at": "2026-04-06T00:13:16.219688Z",
	"updated_at": "2026-04-10T03:21:17.652944Z",
	"deleted_at": null,
	"sha1_hash": "0fc7befa9ba3f5557b4cc24a61ee28623c8e564f",
	"title": "Lateral Movement with PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1099757,
	"plain_text": "Lateral Movement with PowerShell\r\nArchived: 2026-04-05 22:29:58 UTC\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 1 of 13\n\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 2 of 13\n\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 3 of 13\n\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 4 of 13\n\nMore Related Content\r\nPDF\r\nSilent web app testing by example - BerlinSides 2011\r\nPDF\r\nMeraki Solution Overview\r\nPPT\r\nLDAP\r\nPPTX\r\nIntroduction to Firebase\r\nDOC\r\n4+ yrs_Exp .Net Resume\r\nPDF\r\nVMworld 2014: vSphere Distributed Switch\r\nPPTX\r\nCitrix XenDesktop and XenApp 7.5 Architecture Deployment\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 5 of 13\n\nPDF\r\nSegurança na Nuvem\r\nWhat's hot\r\nDOC\r\nYasmin-Manual plus Mainframe Testing\r\nPPTX\r\nSCCM_Overview_Updated.pptx\r\nPPTX\r\nInfraestructura como codigo\r\nPPTX\r\nIntroduction to Azure AD and Azure AD B2C\r\nDOC\r\n.net Developer Resume(Ming Zhao)\r\nPPTX\r\nDynamics CRM 2011 Architecture Overview\r\nPDF\r\nIntorduction to Datapower\r\nPDF\r\nTechnicalTerraformLandingZones121120229238.pdf\r\nPPTX\r\nDevSecOps: Key Controls to Modern Security Success\r\nPPTX\r\nAWS Cloud Security\r\nPPTX\r\nAn Introduction to OAuth2\r\nPDF\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 6 of 13\n\nELK in Security Analytics\r\nPDF\r\nHTTP Request Smuggling via higher HTTP versions\r\nPDF\r\nAccess Security - Privileged Identity Management\r\nPPTX\r\nREST API in Salesforce\r\nPPTX\r\nIntroduction to appDynamics\r\nPDF\r\nIntroduction to Kong API Gateway\r\nPDF\r\nEnd User Monitoring with AppDynamics - AppSphere16\r\nPPTX\r\nKafka Retry and DLQ\r\nODP\r\nOAuth2 - Introduction\r\nViewers also liked\r\nPPTX\r\nLateral Movement with PowerShell\r\nPPTX\r\nExploiting MS15-034 In PowerShell\r\nPDF\r\nThe Dark Side of PowerShell by George Dobrea\r\nPPTX\r\nAdvanced PowerShell Automation\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 7 of 13\n\nPPTX\r\nEvolving your automation with hybrid workers\r\nPPTX\r\nDevSecOps in 10 minutes\r\nPPTX\r\nChef Hack Day Denver\r\nPPTX\r\nLateral Movement by Default\r\nPDF\r\nDeception Driven Defense - Infragard 2016\r\nPDF\r\nAnsible for the Impatient Devops\r\nPDF\r\nPuppetconf2016 Puppet on Windows\r\nPDF\r\nLateral Movement: How attackers quietly traverse your Network\r\nPPTX\r\nBuilding Windows Images with Packer\r\nPPTX\r\nCompliance as Code: Velocity with Security - Fraser Pollock, Chef\r\nPPTX\r\nLateral Movement - Phreaknik 2016\r\nPPTX\r\nFun with the Hak5 Rubber Ducky\r\nPPTX\r\nEnabling Enterprise Mobility\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 8 of 13\n\nPDF\r\nAdvanced Threats and Lateral Movement Detection\r\nPPTX\r\nGlobal Azure Bootcamp 2016 - Azure Automation Invades Your Data Centre\r\nPPTX\r\nDirectAccess, do’s and don’ts\r\nSimilar to Lateral Movement with PowerShell\r\nPDF\r\nPowering up on PowerShell - BSides Charleston - Nov 2018\r\nPPTX\r\nPowering up on power shell avengercon - 2018\r\nPPTX\r\nPowering up on PowerShell - BSides Greenville 2019\r\nPDF\r\nWho Should Use Powershell? You Should Use Powershell!\r\nPPTX\r\nBuilding an Empire with PowerShell\r\nPPTX\r\nDrilling deeper with Veil's PowerTools\r\nPPTX\r\nEnterprise PowerShell for Remote Security Assessments\r\nPDF\r\nPowerShell Defcon for Cybersecurity Topics\r\nPPTX\r\nClient side attacks using PowerShell\r\nPDF\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 9 of 13\n\nEmpire Work shop\r\nPPT\r\nPowerShell Remoting\r\nPDF\r\nDEF CON 23 - Rich Kelley - harness powershell weaponization made easy\r\nPPTX\r\nPwning the Enterprise With PowerShell\r\nPPTX\r\nDFIR Austin Training (Feb 2020): Remote Access \u0026 Deploying Agents\r\nPPTX\r\nIncorporating PowerShell into your Arsenal with PS\u003eAttack\r\nPPTX\r\nHarness: PowerShell Weaponization Made Easy (or at least easier)\r\nPPTX\r\nKheirkhabarov24052017_phdays7\r\nPPTX\r\nГоризонтальные перемещения в инфраструктуре Windows\r\nPDF\r\nWindows PowerShell Remoting Presentation.pdf\r\nPPTX\r\nManaging enterprise with PowerShell remoting\r\nMore from kieranjacobsen\r\nPPTX\r\nThe Boring Security Talk - Azure Global Bootcamp Melbourne 2019\r\nPPTX\r\nCrikeyCon VI - The Boring Security Talk\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 10 of 13\n\nPPTX\r\nThe Boring Security Talk\r\nPPTX\r\nThe Boring Security Talk\r\nPPTX\r\nSecure Azure Deployment Patterns\r\nPPTX\r\nRansomware 0, Admins 1\r\nPPTX\r\nRansomware 0 admins 1\r\nPPTX\r\nDecSecOps in 10 minutes\r\nPPTX\r\nInfrastructure Saturday - Level Up to DevSecOps\r\nPPTX\r\nDev Breakfast: Level up to DevSecOps\r\nPPTX\r\nDevSecOps - CrikeyCon 2017\r\nPPTX\r\nAzure automation invades your data centre\r\nPPTX\r\nInfrastructure Saturday 2011 - Understanding PKI and Certificate Services\r\nLateral Movement with PowerShell\r\n1.\r\n2.\r\nABOUT:ME • Kieran Jacobsen •HP Enterprise Services – Engineer/Architect •\r\nMicrosoft/Automation/Security focus • Twitter: @Kjacobsen • Blog: Aperturescience.su\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 11 of 13\n\n3.\r\nOUTLINE • PowerShell asan attack platform • PowerShell malware • PowerShell Remoting \u0026 WinRM •\r\nPowerShell security, and bypassing that security • Defence\r\n4.\r\nCHALLENGE • Move fromsocial engineered workstation to domain controller • Where possible use only\r\nPowerShell code • Demo environment will be a “corporate like” environment\r\n5.\r\nADVANTAGES AS ANATTACK PLATFORM • Code is very easy to develop • Windows integration •\r\nPlenty of remote execution options • Designed for automation against 1 – 10000000 devices • Limited\r\nsecurity model • Antivirus products are no real concern/limitation • Scripts can be easily hidden from\r\nadministrators • Installed by DEFAULT\r\n6.\r\nREAL WORLD POWERSHELLMALWARE • Prior to March 2014, only a few minor instances •\r\nPowerWorm: • Infect’s Word and Excel documents, initial infection via macro in .doc/.xls • First spotted by\r\nTrendMicro, analysis and rewrite by Matt Graeber (@Mattifestation) • PoshKoder/PoshCoder: •\r\nPowerWorm crossed with CryptoLocker • Bitcoin ransom\r\n7.\r\nMY POWERSHELL MALWARE •Single Script – SystemInformation.ps1 • Runs as a schedule task, every\r\n5 minutes • Script: • Collects system information and more • Connects to C2 infrastructure, downloads a\r\ntask list and executes tasks • Executes each task, if successful, task will not be rerun • Tasks can be\r\nrestricted to individual computers\r\n8.\r\n9.\r\nWINDOWS POWERSHELL REMOTINGAND WINRM • PowerShell Remoting is based upon WinRM,\r\nMicrosoft’s WS-Management implementation • Supports execution in 3 ways: • Remote enabled\r\ncommands • Remotely executed script blocks • Remote sessions • Security Model = Trusted Devices +\r\nUser Credentials • WinRM is required for the Windows Server Manager • WinRM is enabled by DEFAULT\r\non Windows 2012(R2) Server • WinRM is allowed through Windows Firewall on all network profiles!\r\n10.\r\n11.\r\nPOWERSHELL SECURITY FEATURES •Administrative rights • UAC • Code Signing • Local or Remote\r\nsource using zone.identifier alternate data stream • PowerShell Execution Policy\r\n12.\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 12 of 13\n\nEXECUTION POLICY There are6 states for the execution policy • Unrestricted All scripts can run •\r\nRemote Signed No unsigned scripts from the Internet can run • All Signed No unsigned scripts can run •\r\nRestricted No scripts are allowed to run • Undefined (Default) If no policy defined, then default to\r\nrestricted • Bypass Policy processor is bypassed\r\n13.\r\nBYPASSING EXECUTION POLICY •Simply ask PowerShell: powershell.exe –executionpolicy\r\nunrestricted • Switch the files zone.idenfier back to local: unblock- file yourscript.ps1 • Read the script in\r\nand then execute it (may fail depending on script) • Encode the script and use –encodedcommand  always\r\nworks!!!!! • Get/Steal a certificate, sign script, run script\r\n14.\r\n15.\r\nDEFENCE OF THEDARK ARTS • Restricted/Constrained Endpoints • Change WinRM Listener • Change\r\nWindows Firewall settings • Turn it off WinRM • Application whitelisting\r\n16.\r\nWINRM, NOT JUSTAN INTERNAL ISSUE By default, Microsoft Azure virtual machines expose HTTPS\r\nlistener to the Internet.\r\n17.\r\nLINKS • Twitter: @kjacobsen •Blog:http://aperturescience.su • Code on GitHub: http://j.mp/1i33Zrk •\r\nQuarksPWDump: http://j.mp/1kF30e9 • PowerSploit: http://j.mp/1gJORtF • PowerWorm Analysis:\r\nhttp://j.mp/RzgsHb • PowerBleed: http://j.mp/1jfyILK\r\n18.\r\nMORE LINKS • MicrosoftPowerShell/Security Series: • http://j.mp/OOyftt • http://j.mp/1eDYvA4 •\r\nhttp://j.mp/1kF3z7T • http://j.mp/NhSC0X • http://j.mp/NhSEpy • Practical Persistence in PowerShell:\r\nhttp://j.mp/1mU6fQq • Bruteforcing WinRM with PowerShell: http://j.mp/1nBlwX2\r\nSource: https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nhttps://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2"
	],
	"report_names": [
		"lateral-movement-with-power-shell-2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434396,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0fc7befa9ba3f5557b4cc24a61ee28623c8e564f.pdf",
		"text": "https://archive.orkl.eu/0fc7befa9ba3f5557b4cc24a61ee28623c8e564f.txt",
		"img": "https://archive.orkl.eu/0fc7befa9ba3f5557b4cc24a61ee28623c8e564f.jpg"
	}
}