Access remote systems via RDP, WinRM, or SSH. Interactive sessions for lateral movement. More powerful than PSExec.
Lateral Movement via RDP, WinRM, SSH
Requires: Valid credentials • Difficulty: Low • Impact: High
💻 Desktop Experience Available
View this module on desktop for an interactive Remote Services lateral movement simulation.
Remote Services are legitimate Windows services that allow administrators to manage systems remotely. Attackers abuse these services for lateral movement and persistence in Active Directory environments. Common remote services include RDP (Remote Desktop Protocol), WinRM (Windows Remote Management),SSH, and VNC.
Attackers use compromised credentials (from Pass-the-Hash, Kerberoasting, etc.) to access remote services on target systems. Once connected, they can execute commands, install persistence mechanisms, and pivot to additional systems. Remote services provide interactive access—more powerful than PSExec or WMI for complex operations.
Why It's Effective: Remote services are essential for IT operations, so they're often enabled and accessible. Many organizations allow RDP/WinRM between systems for management. Attackers can use legitimate tools (mstsc.exe, PowerShell) to establish sessions, making detection more difficult than custom malware.
Remote Services techniques should only be used in authorized penetration testing, red team engagements, or controlled lab environments. Unauthorized access to computer systems is illegal under CFAA and equivalent laws worldwide. Always obtain written permission before testing.
📡 Interactive Simulation Mode
Access remote systems via RDP, WinRM, or SSH. Interactive sessions for lateral movement. More powerful than PSExec.
RDP (3389), WinRM (5985/5986), SSH (22)
Using credentials: CORP\admin
Remote services provide interactive access to target systems. RDP gives graphical desktop, WinRM provides PowerShell remoting, SSH offers command-line access. All require valid credentials but provide more control than PSExec or WMI.