Post-Exploitation Methodology

Post-exploitation begins once you have gained initial access to a system. This critical phase determines whether a foothold becomes full compromise or gets detected and contained.

Post-Exploitation Goals

After initial access, attackers pursue several objectives: Maintain Access (persistence), Understand Environment (situational awareness), Escalate Privileges (higher access), Move Laterally (additional systems), Achieve Mission (data, impact), Cover Tracks (anti-forensics).

Methodology Phases

1. Stabilization

Ensure stable access: upgrade shells (TTY upgrade), establish reliable C2, create backup access, assess detection risk.

2. Situational Awareness

Understand where you are: current user/privileges, system information, network position, installed software, running processes, connected users.

3. Credential Harvesting

Credentials unlock further access. Sources include memory (Mimikatz), files (config, scripts), browsers (saved passwords), password managers, SSH keys.

4. Persistence

Ensure access survives detection/reboot: scheduled tasks/cron, registry run keys, service installation, backdoor accounts, implant deployment.

5. Privilege Escalation

Move from user to admin/root: misconfigured services, vulnerable software, credential reuse, token manipulation, kernel exploits.

6. Lateral Movement

Expand to additional systems: Pass-the-Hash, remote services (WinRM, SSH), shared credentials, exploiting trust relationships, pivoting through networks.

Operational Security

Avoid detection throughout: timing during business hours, tool selection (living off the land), traffic patterns, log generation, forensic artifacts.

Post-exploitation success requires methodical execution and careful planning.