Once the initial foodhold is obtained, post-exploitation activities begin. This access will be used to learn more about the target system and network to move around and reach action on objectives. That happens by executing the following activities:

  • Discovery
  • Privilege Escalation
  • Presistence
  • Defense Evasion
  • Credential Harvesting
  • Lateral Movement

1. Discovery

  • Is a tactic that allows an Red Team to gain knowledge about a system and the internal network.
  • Must know what they have control of and what benefits operating from that system give to their objective or goals.
    • Tip 1: Use the built-in tools in initial discovery to not tigger a Blue Team IoC.
    • Tip 2: Be careful with Deceptions --> Emerging category of defense assumes the internal network or system will compromised and places "Traps, Tokens" on the network/system.

1.1 Account Discovery

  • Understand the privilege you have and what other accounts exist in the system.

1.2 Processes and Services

  • Determine the processes and services running on the local system.

1.3 Security Software and Controls

  • List the security software, configurations, defensive tools and sensors that are installed on the system.
    • Endpoint Security: AntiVirus, Application whitelisting, Endpoint Detection and Response.
    • Logs and Log Forwarding.
    • Windows Security Settings: Firewall, Group Policy.

1.4 Network Enumeration

  • Determine the systems in the same subnet and internal network accessible from current system.

1.5 Active Directory Enumeration

  • Enumerate number of the components like: Forest, Domain, Trust, Domain Controllers, etc.

2. Privilege Escalation

  • Allows us to elevate privileges from that of a standard user to Administrator/SYSTEM (Vertical) or from User A to User B (Horizontal).
  • Can provide a tactical advantage by allowing you to leverage some additional capabilities:
    • Dumping credentials with Mimikatz.
    • Installing sneaky persistence.
    • Manipulating host configuration (firewall).
  • Should only be sought after if it provides a means of reaching your goal.

3. Presistence

  • A method of maintaining access to a compromised machine, without having to exploit the initial compromise steps (phishing or exploitation) all over again.
  • Most persistence will require making a some configuration change or dropping a payload to disk, which is why they can carry a high risk of detection.

4. Defense Evasion

  • A tactic with multiple techniques to evade detection or avoid controls.

5. Credential Harvesting

  • A tactic used to get passwords that maybe stored in a variety of different areas.

6. Lateral Movement

  • Attempt to gain access to other endpoints on the same network or pivot onto other network segments.