0X6C7879/movement
skills/movement/SKILL.md
Use when performing AD lateral movement with Impacket, NetExec, Evil-WinRM, WMI, DCOM, SMB exec, PtH, PtT, RDP, or when you have credentials and need host-to-host execution.
$ install --global
skillsauthnpx skillsauth add 0X6C7879/aegissec movementInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 22, 2026, 5:54 AM119.9s8 files scanned
SKILL.md
- name:
- movement
- description:
- Use when performing AD lateral movement with Impacket, NetExec, Evil-WinRM, WMI, DCOM, SMB exec, PtH, PtT, RDP, or when you have credentials and need host-to-host execution.
Movement
Use this skill after credential acquisition when the main objective is expanding access across Windows or AD hosts.
Quick Start
- Read
references/movement.md. - Identify what credential form you have: password, NTLM hash, ticket, or cert-derived access.
- Pick the quietest execution path that proves or expands access.
- Use script helpers in
scripts/for repeatable execution wrappers:pth_spray.py- PtH spray via NetExec/CrackMapExecwmiexec_run.py- WMI remote command wrapperevil_winrm_wrap.py- Evil-WinRM + pre-check command buildersmb_exec.py- psexec/smbexec/atexec execution wrapperdcom_exec.py- DCOM execution wrapper for ShellWindows/MMC20 pathsrdp_connect.py- xfreerdp command builder with restricted-admin support
Selection Rules
- Prefer WinRM or WMI over louder service-creation paths when feasible.
- Use Impacket and NetExec for protocol-accurate validation before full execution.
- Record which credential worked on which host and protocol.
Output Discipline
For every lateral movement attempt, report:
- credential form used (password / NTLM / ticket / cert)
- target host and identity context
- execution method (WinRM / WMI / SMB exec / DCOM / RDP)
- command run or action performed
- access level gained (standard user / local admin / SYSTEM)
- next expansion target or objective
Keep validated credentials organized by host and access level.
When To Switch
Switch away from lateral movement when:
- Need local privilege escalation on newly accessed host
- Achieved domain admin or equivalent and need durable persistence
- Exhausted accessible targets and need new reconnaissance scope
Switch to:
privescfor local escalation when you need SYSTEM or higher integritypersistenceafter gaining privileged domain accessadscanwhen you need fresh enumeration with newly obtained credentials
References
references/movement.md- movement decision trees and command examples../shared/references/tool-matrix.md- fallback tools and substitutions../shared/references/output-conventions.md- credential and evidence logging
Related Skills
0X6C7879/wooyun-legacy
development
VerifiedTrustedCommunity
WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/windows-privilege-escalation
tools
VerifiedTrustedCommunity
Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/tunnel
development
VerifiedTrustedCommunity
Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.
2SKILL.mdUpdated Apr 28, 2026
0X6C7879/threat-modeling
development
VerifiedTrustedCommunity
Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.
2SKILL.mdUpdated Apr 22, 2026