🔀 Lateral
Yatay hareket → domain dominance.
BloodHound ile en kısa DA yolu; PtH/PtT, delegation/RBCD, coerce+relay.
Lateral adımları0/6
- [ ]BloodHound topla → shortest-path-to-Domain-Admins
- [ ]PtH/PtT/OverPass: netexec/impacket -H <NT-hash>
- [ ]psexec / wmiexec / winrm / atexec ile uzaktan komut
- [ ]Delegation (unconstrained/constrained/RBCD) istismarı
- [ ]Coercion (PetitPotam/PrinterBug) → ntlmrelayx
- [ ]Trust enum → SID history / cross-forest
Kaynak: TJnull — PEN-200/OSCP Preparation Guide (NetSecFocus)