Lateral movement is a technique used by attackers to move throughout an internal network in order to find sensitive information and other machines that could be used to escalate privileges.

RPC/DCOM

RPC /DCOM (Remote Procedure Call/Distributed Component Object Model) were used mainly in Windows NT, 2000, XP, and 2003. RPC/DCOM provides communication between processes on different machines.

PsExec

PsExec is part of the SysInternal toolkit, it allows administrators to run programs remotely via SMB on port 445. PsExec, historically, has been used extensively and most anti-virus will block it's execution.

WMI

Windows Management Instrumentation (WMI) provides remote management and data gathering. A wide variety of information such as about SNMP, Windows Defender information, and Application Inventory listings is provided with WMI. Transfer of file, data gathering from files, remote execution of commands, files, and the Registry are allowed with WMI.

Scheduled Tasks

Attackers will use scheduled tasks to maintain persistence on a machine. A administrator may notice an out-of-place process and kill it, ending the attackers access to the machine. A scheduled tasks that runs every so often to re-open access to the machine ensures that the attacker can access the machine again.

PS Remoting/WinRM

WinRM (Windows Remote Management) is a service that allows administrators to run powershell commands on a remote computer, a powerful tool for an attacker.

SMB

Server Message Block (SMB) is used to share files and printers in a network, in Linux the service is called Samba. Many tools are available that can use SMB to discover the Operating System of the remote host.

Responder is a tool that can be used to get credentials for SMB. Responder works by responding to broadcasts on the network asking for SMB resources, identifying itself as the SMB resource. The victim then sends it's hashed credentials to the attacker.

RDP

Remote Desktop Display (RDP) is commonly used by administrators to remotely access hosts on the network. Exploits are rare, but when there is one it can be devastating.

Seth is a tool that can be used as a man-in-the-middle attack. The attacker would need to know their own IP address, their Ethernet interface, the IP address of the victim (client), and the IP address of the target RDP host (server).

Apple Remote Desktop

Apple Remote Desktop (ARD) is similar to RDP but for Apple. There was an exploit in MacOS 10 High Sierra that included a root exploit via Screen Sharing.

VNC

Virtual Network Computing (VNC) is similar to RDP and ARP. Metasploit provides many VNC payloads, making it one of the easier means of getting remote GUI.

X-server Forwarding

X11 - or X-Windows, often simplified to X, is the graphical system used in many Linux and Unix systems. X session can be forwarded uses an SSH tunnel to a remote computer. X-sessions that are not secure can be captured and exploited.

Telnet

Telnet is an unencrypted service that provides remote shell access. Because the service is unencrypted, credentials are passed in clear text and easily stolen.

SSH

SSH (secure shell) provides a remote shell through encryption. SSH is vulnerable if there is a vulnerable version installed or if the SSH keys are stolen by the attacker.

RSH/Rlogin

The RSH/Rlogin service provides logins for remote servers. This is a legacy service and has been replaced by slogin and SSH. The service runs on port 513 and the command rlogin -l root IP allows one to login as root to the remote server.