gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Post-Exploitation

Category: General / Post-Exploitation MITRE ATT&CK: Multiple — Collection, Exfiltration, Persistence, Defense Evasion Related: Command And Control, Lateral Movement, Active Directory Attacks, Privilege Escalation Windows, Privilege Escalation Linux

Overview

Post-exploitation encompasses all actions taken after initial access is established: situational awareness, persistence, credential harvesting, data collection, lateral movement staging, and exfiltration. The goal is to achieve and maintain the engagement objectives while minimizing detection.

How It Works

Situational Awareness (Internal Recon)

# Who/where am I?
whoami /all; hostname; ipconfig /all; route print
# What's running?
tasklist /svc; ps aux; netstat -ano
# What's on the network?
arp -a; net view; nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local
# AD context?
net user /domain; net group "Domain Admins" /domain; nltest /domain_trusts

Persistence

TechniquePlatformMITRE
Registry Run keysWindowsT1547.001
Scheduled tasksWindowsT1053.005
Service installationWindowsT1543.003
Startup folderWindowsT1547.001
WMI event subscriptionWindowsT1546.003
Cron jobsLinuxT1053.003
SSH authorized_keysLinuxT1098.004
Systemd serviceLinuxT1543.002
Browser extensionsBothT1176
DLL hijackingWindowsT1574.001
Golden/Silver TicketADT1558
Account creationBothT1136

Credential Harvesting

  • LSASS dump (Mimikatz, ProcDump, comsvcs.dll MiniDump)
  • SAM / SYSTEM / SECURITY registry hives
  • DPAPI secrets (browser passwords, WiFi keys, RDP credentials)
  • NTDS.dit (via DCSync or VSS shadow copy)
  • Credential Manager (cmdkey /list, vaultcmd /list)
  • Browser credential stores
  • Password files, config files, scripts

Data Collection

  • Target: IP lists, user databases, financial records, source code, PII, credentials.
  • Compress and encrypt before exfil to avoid content-based DLP.
  • Identify data stores: shares, databases, SharePoint, email.

Exfiltration

  • HTTPS to external C2 (blends with normal traffic)
  • DNS tunneling (for restrictive egress)
  • Cloud storage (OneDrive, Dropbox, S3) — often whitelisted
  • Email (SMTP, web mail) — if not monitored
  • Physical: USB if physical access
  • Chunked, slow exfil to stay under DLP size thresholds

Defense Evasion

  • Clear event logs (but triggers alert in most SOCs): wevtutil cl Security
  • LOLBins for execution to avoid dropping new binaries
  • Process injection: inject into legitimate processes (explorer, svchost)
  • Timestomping: modify file timestamps to match surrounding files
  • Disable AV/EDR: risky and loud; prefer evasion over disabling

Detection & Evasion Notes

  • LSASS access: Event 4656/4663 + Sysmon Event 10. MiniDump via comsvcs.dll avoids many signatures.
  • WMI persistence: Sysmon Event 19/20/21.
  • Scheduled tasks: Event 4698 (creation), 4702 (modification).
  • Prefer in-memory techniques; avoid disk writes where possible.
  • Use encrypted channels for all C2 comms.

Tools

  • Mimikatz / Pypykatz — credential extraction
  • SharpHound — AD collection for BloodHound
  • Seatbelt — host recon
  • SharpDPAPI — DPAPI credential decryption
  • ProcDump / comsvcs.dll — LSASS dump
  • Covenant / Sliver / Cobalt Strike — post-ex frameworks with built-in modules
  • Donut / Sharperner — in-memory payload execution

References

  • MITRE ATT&CK — Post-Compromise Tactics
  • “The Art of Post-Exploitation” — various sources
  • Red Team Notes — ired.team