Post-Exploitation

Post-exploitation covers privilege escalation, lateral movement, persistence mechanisms, and techniques to achieve domain dominance in Active Directory environments.

Warning

Post-exploitation requires careful documentation and coordination with the client. Track all credentials harvested, persistence installed, and systems accessed.

Post-Exploitation Topics

Windows Privilege Escalation

๐ŸชŸ

Local privilege escalation on Windows systems including token manipulation, service abuse, and kernel exploits.

WinPEAS PowerUp Potato Attacks

Linux Privilege Escalation

๐Ÿง

SUID exploitation, sudo abuse, capabilities, cron jobs, and kernel exploits for gaining root access.

LinPEAS GTFOBins Kernel Exploits

Persistence Techniques

๐Ÿ”„

Maintaining access through registry, services, scheduled tasks, WMI events, and Active Directory mechanisms.

Registry WMI Scheduled Tasks

Domain Dominance

๐Ÿ‘‘

DCSync, Golden Tickets, Silver Tickets, and Kerberos attacks for complete Active Directory compromise.

Mimikatz Rubeus Impacket

Data Exfiltration

๐Ÿ“ค

Data discovery, covert channels, DNS/ICMP exfiltration, and demonstrating business impact of compromise.

DNS Tunneling Steganography Cloud Upload

Cleanup & Covering Tracks

๐Ÿงน

Removing artifacts, restoring systems, and ensuring clean handoff to the client after engagement completion.

Artifact Removal Documentation Client Handoff

DLL Hijacking

๐Ÿ”—

DLL search order hijacking, sideloading, proxying, and phantom DLL loading for privilege escalation and persistence.

Sideloading Proxying COM Hijack

Credential Harvesting

๐ŸŽฃ

DPAPI abuse, browser credential extraction, Credential Manager, KeePass exploitation, and application-specific secrets.

DPAPI Browser Creds KeePass

Lateral Movement Overview

Once you have credentials or elevated privileges, lateral movement allows you to pivot through the network toward high-value targets.

Technique Requirements Tool Detection
Pass-the-Hash NTLM Hash Mimikatz, nxc Medium
Pass-the-Ticket Kerberos Ticket Rubeus, Mimikatz Low
Overpass-the-Hash NTLM Hash Rubeus, Mimikatz Low
PsExec Admin Creds + SMB Impacket, Sysinternals High
WMI/WinRM Admin Creds nxc, Evil-WinRM Medium
RDP Valid Creds + RDP Access xfreerdp, rdesktop Medium

๐Ÿ“š Recommended Reading

๐Ÿ“•

Operator Handbook

Joshua Picolet

Command reference for post-exploitation โ€” persistence, lateral movement, credential harvesting, and data exfiltration.

 Adversarial Tradecraft in Cybersecurity

Adversarial Tradecraft in Cybersecurity

Dan Borges (2021)

Offense and defense tradecraft โ€” persistence, lateral movement, C2 comms, and how defenders detect each technique.

Related Topics

Exploitation

Initial access techniques

Reporting

Document your findings

Kerberos Attacks

Deep dive on Kerberos

BloodHound

Attack path discovery

As an Amazon Associate I earn from qualifying purchases.