Last reviewed

Post-Exploitation

Post-exploitation covers privilege escalation, lateral movement, persistence mechanisms, and techniques to achieve domain dominance in Active Directory environments.

Warning

Post-exploitation requires careful documentation and coordination with the client. Track all credentials harvested, persistence installed, and systems accessed.

Post-Exploitation Topics

Windows Privilege Escalation

🪟

Local privilege escalation on Windows systems including token manipulation, service abuse, and kernel exploits.

WinPEAS PowerUp Potato Attacks

Linux Privilege Escalation

🐧

SUID exploitation, sudo abuse, capabilities, cron jobs, and kernel exploits for gaining root access.

LinPEAS GTFOBins Kernel Exploits

Persistence Techniques

🔄

Maintaining access through registry, services, scheduled tasks, WMI events, and Active Directory mechanisms.

Registry WMI Scheduled Tasks

Domain Dominance

👑

DCSync, Golden Tickets, Silver Tickets, and Kerberos attacks for complete Active Directory compromise.

Mimikatz Rubeus Impacket

Data Exfiltration

📤

Data discovery, covert channels, DNS/ICMP exfiltration, and demonstrating business impact of compromise.

DNS Tunneling Steganography Cloud Upload

Cleanup & Covering Tracks

🧹

Removing artifacts, restoring systems, and ensuring clean handoff to the client after engagement completion.

Artifact Removal Documentation Client Handoff

DLL Hijacking

🔗

DLL search order hijacking, sideloading, proxying, and phantom DLL loading for privilege escalation and persistence.

Sideloading Proxying COM Hijack

Credential Harvesting

🎣

DPAPI abuse, browser credential extraction, Credential Manager, KeePass exploitation, and application-specific secrets.

DPAPI Browser Creds KeePass

Lateral Movement Overview

Once you have credentials or elevated privileges, lateral movement allows you to pivot through the network toward high-value targets.

Technique Requirements Tool Detection
Pass-the-Hash NTLM Hash Mimikatz, nxc Medium
Pass-the-Ticket Kerberos Ticket Rubeus, Mimikatz Low
Overpass-the-Hash NTLM Hash Rubeus, Mimikatz Low
PsExec Admin Creds + SMB Impacket, Sysinternals High
WMI/WinRM Admin Creds nxc, Evil-WinRM Medium
RDP Valid Creds + RDP Access xfreerdp, rdesktop Medium

📚 Recommended Reading

📕

Operator Handbook

Joshua Picolet

Command reference for post-exploitation — persistence, lateral movement, credential harvesting, and data exfiltration.

 Adversarial Tradecraft in Cybersecurity

Adversarial Tradecraft in Cybersecurity

Dan Borges (2021)

Offense and defense tradecraft — persistence, lateral movement, C2 comms, and how defenders detect each technique.

Related Topics

Exploitation

Initial access techniques

Reporting

Document your findings

Kerberos Attacks

Deep dive on Kerberos

BloodHound

Attack path discovery

As an Amazon Associate I earn from qualifying purchases.

Related Tools

Use the interactive toolset as a nearby operator companion while working through this guide.

Interactive Tool

Nmap Builder

Generate internal discovery and service-enumeration scans that map cleanly to the scanning and enumeration phases.
Interactive Tool

Reverse Shell Generator

Keep payload generation close to the exploitation workflow when you need a fast fallback shell during lateral movement.
Interactive Tool

Port Reference

Cross-check exposed services and odd internal ports while triaging hosts, shares, and management interfaces.
Interactive Tool

Findings Library

Translate credential, AD, relay, and privilege-escalation chains into report-ready language for internal engagements.