Our preferred method of lateral spread is WMI, exposed through PowerShell’s Invoke-WmiMethod.
This module will let you install Empire agents on additional domain machines. From an agent menu, type usemodule lateral_movement/invoke_wmi. Set a listener name you want the new target to stage to with set Listener NAME. The listener names should be tab-completable. Pivot listeners can function here as well.
The the target with set ComputerName TARGET. You can do a comma-separated list of multiple targets. An optional [domain]username and password can be specified if desired, otherwise the current user’s privileges are used.
execute will task the agent to execute the stage on the target. This will execute the small launcher through WMI, and Empire will handle the staging protocol in the background. You should shortly get a notice of a new agent checking in.
This module will set the debugger for a specified TargetBinary (sethc.exe, Utilman.exe, osk.exe, Narrator.exe, or Magnify.exe) to be a binary of your choice (i.e. cmd.exe) or a stager. This is similar to the the persistence/debugger/ modules, but with remote execution instead of local execution.
If you set a listener value, a stager will be used for the debugger (stored into RegPath), otherwise the specified Binary will be used. An optional username/password for the remote machine can be specified. Cleanup will function similarly to the persistence modules, removing any stored script and resetting the debugger.