Post-Exploitation
Post-exploitation covers privilege escalation, lateral movement, persistence mechanisms, and techniques to achieve domain dominance in Active Directory environments.
Warning
Post-Exploitation Topics
Windows Privilege Escalation
๐ชLocal privilege escalation on Windows systems including token manipulation, service abuse, and kernel exploits.
Linux Privilege Escalation
๐งSUID exploitation, sudo abuse, capabilities, cron jobs, and kernel exploits for gaining root access.
Persistence Techniques
๐Maintaining access through registry, services, scheduled tasks, WMI events, and Active Directory mechanisms.
Domain Dominance
๐DCSync, Golden Tickets, Silver Tickets, and Kerberos attacks for complete Active Directory compromise.
Data Exfiltration
๐คData discovery, covert channels, DNS/ICMP exfiltration, and demonstrating business impact of compromise.
Cleanup & Covering Tracks
๐งนRemoving artifacts, restoring systems, and ensuring clean handoff to the client after engagement completion.
Lateral Movement Overview
Once you have credentials or elevated privileges, lateral movement allows you to pivot through the network toward high-value targets.
| Technique | Requirements | Tool | Detection |
|---|---|---|---|
| Pass-the-Hash | NTLM Hash | Mimikatz, CrackMapExec | Medium |
| Pass-the-Ticket | Kerberos Ticket | Rubeus, Mimikatz | Low |
| Overpass-the-Hash | NTLM Hash | Rubeus, Mimikatz | Low |
| PsExec | Admin Creds + SMB | Impacket, Sysinternals | High |
| WMI/WinRM | Admin Creds | CrackMapExec, Evil-WinRM | Medium |
| RDP | Valid Creds + RDP Access | xfreerdp, rdesktop | Medium |