- Goal: Test what an attacker can do within the entire internal network - Pivoting - Entry point becomes a proxy for our attacking machine - Making sure that non-routable networks can be reached, i.e., attacking machine - Allows us to penetrate deeper into the network - Protections against lateral movement: segmentation, threat monitoring, IPS/IDS, EDR - Exploitation - Interpect NTLMv2 hashes with `Responder` and use a pass-the-=hash technique to login as admin