Security · Topic 18 of 23 · Part III — Pentesting in depth

Post-exploitation & kill-chain synthesis

Post-exploitation is where the engagement's impact story is built — the deliverable that shows a client what an attacker could actually do to their business.

Aligned to PTES §6 (Post-Exploitation) and the kill-chain / ATT&CK framing across the engagement.
Topic 18 · Attack narrative

From foothold to impact story

By the end of this topic you can:
  • Define post-exploitation and distinguish it from initial access and privilege escalation
  • Plan post-exploitation work around engagement objectives and scope, not "what else can I do"
  • Recognise the major post-exploitation activities and the ethical limits on each
  • Map engagement actions to MITRE ATT&CK and use that mapping to communicate with blue teams
  • Synthesize an engagement into a coherent attack narrative that demonstrates impact

What post-exploitation is

The activities performed after gaining some access — cycling through awareness, harvesting, and movement until the objective is reached.

  • Situational awareness — what is this host, what can I see?
  • Credential harvesting — extract credentials and tokens
  • Lateral movement — move to other systems with those credentials
  • Privilege escalation — operationally entangled (see Topic 16)
  • Data access — find and access data that demonstrates impact
  • Persistence — re-entry within authorization
  • Defense evasion — minimize detection (mostly red-team territory)
  • Actions on objectives — whatever the simulated adversary was achieving
Cycle Awareness → harvest → movement → more awareness. Repeats until objective is reached or time runs out.

What post-exploitation is not

Not "do everything you can" Bounded by scope, ethics, and engagement objective. Demonstrate impact minimally, not maximally.
Not destruction No deletion, corruption, or DoS unless explicitly authorized.
Not harmful impersonation Using a compromised account to send harmful internal communications is harmful regardless of contract.
Not "I got root, done" Root access is evidence of capability, not demonstration of impact. Impact must be characterized.

Situational awareness

The first work on every new foothold: build an updated model of the environment.

  • Host role — application server, database, build server, domain controller, developer workstation?
  • Network structure — subnets, segmentation, DMZ, internal/external trust boundaries
  • Other users — profiles, logged-in sessions, recent activity on this host
  • New reach — internal services, backend databases, other tiers not accessible from the previous foothold
  • Identity infrastructure — domain-joined? cloud-managed? SSH key trust to other hosts?
  • Monitoring — EDR agent present? logging configuration?

Output: an updated mental and written model of the environment, plus a prioritized list of next moves.

Credential harvesting

Every host visited may yield credentials that open other hosts. Know where they hide.

Memory & process

  • LSASS (Windows / Mimikatz); ssh-agent sockets
  • Environment variables — /proc/*/environ, PowerShell env
  • Browser processes (saved passwords)
  • Windows Credential Manager (DPAPI); macOS Keychain; gnome-keyring
  • SSH / GPG keys — often unencrypted; forwarded agents authenticate without key extraction
  • Kerberos ticket caches (KRB5CCNAME)

Files & infrastructure

  • Database connection strings, API keys, cloud credentials in config files
  • Shell history (bash_history, PowerShell history)
  • Source control — committed credentials in git history
  • Cloud metadata services (workload identity tokens)
  • CI/CD build runners — often highly privileged
Finding class Which secrets are in code/config vs. a secret manager? The gap is itself a finding.

Lateral movement

Moving from one foothold to another within the environment using harvested credentials or accessible services.

TechniqueMechanismDetection signal
Authenticated (SSH / RDP / SMB)Harvested plaintext credentialsNormal auth log — hard to distinguish
Pass-the-Hash / Pass-the-TicketHash or ticket; no plaintext neededAnomalous source / timing patterns
Kerberoasting → crack → authCrack SPN-bound service accountBulk TGS requests; weak password
WMI / WinRM / PSExec / DCOMRemote execution via managementProtocol-specific event IDs
NTLM relayCapture and relay NTLM authAnomalous auth source
Trust abuseDomain trusts, cloud cross-account rolesCross-domain / cross-account activity
Scope reminder "Demonstrate the path to objective X" differs from "compromise everything reachable". The former is more useful and more controlled.

Persistence — when authorized

Ensuring continued access despite reboot, credential rotation, or basic remediation.

Windows

  • Registry autoruns, scheduled tasks, services
  • WMI subscriptions, COM hijacks
  • AD object modifications (golden/silver ticket, certificate-based)

Linux

  • systemd units, cron jobs, init scripts
  • Shell profile modifications
  • LD_PRELOAD, SUID binaries, kernel modules

Cloud & Identity

  • Additional IAM users / access keys
  • OAuth client additions, cross-account role trusts
  • Federation trust modifications, extra admin accounts
Pentest default Persistence is usually not established — it creates artefacts that must be cleaned up and may be missed. Where in scope, the mechanism, location, and cleanup plan are agreed in advance.

Data access — demonstrate, do not maximise

The impact-defining phase. Objective: show the client what is reachable, not how much can be extracted.

  • Identify target data — customer records, financials, IP, credentials, audit logs
  • Access minimally — retrieve the schema and a small representative sample; do not exfiltrate the full dataset
  • Treat what you retrieve as sensitive — encrypted storage, time-limited retention, certificate of destruction
  • Document the access path — exact query, file, or API call; the blue team needs it for detection instrumentation
  • Discuss exfiltration paths — even if not exercised, note feasible channels in the report
Classic mistake Downloading the full production customer database "to demonstrate impact" is the worst-case data outcome for the client. Show capability; do not exercise it to maximum.

Defense evasion — pentest vs. red team

Pentest scope

  • Evasion is a secondary concern — blue team is typically aware of the test
  • Report notes "this action was or was not visible to your detection capability" — a finding in itself
  • Aggressive anti-forensics rarely warranted; creates evidence-handling problems

Red team scope

  • Evasion is central — the engagement is also a test of detection capability
  • AV/EDR signature evasion; living-off-the-land technique selection
  • C2 traffic blended into normal patterns; pacing to avoid behavioural detections
  • Identity hygiene — captured accounts used in patterns consistent with normal behaviour
Both scopes A finding paired with "this is or is not detected" is more useful than the finding alone.

MITRE ATT&CK — the synthesis vocabulary

A structured taxonomy of adversary behaviour. Twelve top-level tactics for Enterprise, each with dozens of techniques and sub-techniques.

LayerMeaningExample
TacticThe why of an actionCredential Access
TechniqueThe how at category levelT1003 — OS Credential Dumping
Sub-techniqueMore specific howT1003.001 — LSASS Memory
ProcedureReal-world instance by named actorAPT29 use of Mimikatz
Blue team benefit Take the report's ATT&CK mapping, compare to detection coverage matrix, produce a concrete detection-engineering backlog.
Program benefit Track ATT&CK coverage across multiple engagements over time and measure improvement.

Cyber Kill Chain vs. ATT&CK

Kill Chain (Lockheed, 2011)

  • Seven phases: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives
  • Useful for high-level engagement structure
  • Non-technical communication — executives understand it
  • Conceptual ancestor of ATT&CK
Limitation Too coarse for modern adversary behaviour — especially credential abuse and identity-layer attacks.

ATT&CK (MITRE, ongoing)

  • 12 tactics, hundreds of techniques, sub-techniques, and procedures
  • Regularly updated from real-world incident data
  • Fine-grained enough to drive detection engineering
  • Standard vocabulary across industry and vendor tooling
In practice ATT&CK technique-level vocabulary inside a kill-chain structural framing.

The attack narrative

The most impactful deliverable: a coherent end-to-end account of how the attacker moved through the environment.

1Initial access — how they got in; ATT&CK tactic Initial Access
2Foothold — identity, context, and visibility after entry
3Escalation & movement — each step linked to the previous, with technique IDs
4Objective — how the target was reached; what the attacker could do
5Detection timeline — where blue did and did not see them

Each step includes: concrete evidenceATT&CK mappingcontrol that should have prevented itremediation that closes the step.

The narrative is what board-level readers absorb. The finding list is what engineers act on. Both belong in the report.

Cleanup

Post-exploitation ends with a clean closure — no artefacts left, no data retained beyond its purpose.

  • Remove all artefacts created — test accounts, scheduled tasks, files dropped, persistence implants
  • Artefact inventory — a written list shared with the client of everything created, even if all items were removed; client must know in case something was missed
  • Secure handling of exfiltrated data — encrypted storage, planned destruction, certificate of destruction issued to client
  • Cleanup of captured credentials — hash dumps, tickets, decrypted password lists handled per the data-handling agreement
Professional standard A clean engagement closes with no surprises. A missed persistence artefact discovered six months later erodes trust faster than any finding impresses.

Check — impact vs. privilege label

Reflection

A pentest report concludes: "We achieved Domain Admin. Engagement objective met." What is missing, and why does it matter?

Reveal answer

Domain Admin is a privilege label, not an impact statement. The additional work: identify what data or systems that privilege actually grants reach to in this environment; demonstrate that reach minimally; quantify (volume of data, number of systems, sensitivity); translate to business meaning. The finding becomes: "Domain Admin compromise enables access to N customer records and the production environment" — a claim the client can act on.

What you take home

  • Post-exploitation is objective-driven, not capability-exhausting — scope and ethics bound every action
  • The activity cycle (awareness → harvest → movement) repeats non-linearly until the objective is reached
  • Credentials hide everywhere: memory, config files, environment variables, CI/CD runners, git history, cloud metadata
  • ATT&CK technique IDs turn findings into actionable detection-engineering work for the blue team
  • The attack narrative — end-to-end, with ATT&CK overlay and detection timeline — is the highest-value report artefact
  • Cleanup is not optional: every artefact inventoried, removed, and confirmed in writing to the client
  • Demonstrate data access minimally — show capability without exercising it to maximum

Next: Topic 19 — Evidence & traceability. How to capture findings as defensible, reproducible evidence throughout the engagement.

END · TOPIC 18

Impact, not root.

Before next session: browse three MITRE ATT&CK technique pages for techniques covered today. Note one detection and one mitigation for each.