Friday, November 28, 2025

Post-Exploitation Priorities: You Have a Shell... Now What?

Level: Advanced

The "Oh S**t" Moment

The payload executed. The C2 server chimed. You see it: [*] Beacon of 'Administrator' on 'WORKSTATION-01' checked in.

The adrenaline spike is real. But this is the most dangerous moment of the engagement. The amateur red teamer immediately types whoami, ipconfig, net user /domain, and mimikatz.

And the EDR (Endpoint Detection & Response) immediately eats them alive.

Post-Exploitation is an art of patience. The noisest thing you can do is start running random commands the second you land.

Priority 1: Situational Awareness (The "Look Around")

Before you move, you need to know where you are. But you can't just run tasklist.

Living off the Land (LotL) means using what is already there.

Don't run: net group "Domain Admins" /domain (This is flagged by every SIEM on earth).
Do run: LDAP queries using valid .NET assemblies or ADSI.

Check the environment variables. Check the EDR presence.

# Quietly check for EDR processes (simplified)
fltCbQueryNames | findstr /i "cb.exe cyb.exe s1.exe"

(Note: Real tradecraft uses syscalls or API calls to list processes without forking cmd.exe, but you get the idea).

Key Questions: 1. Is there a user active right now? (Check idle time). 2. Is this a laptop (VPN) or a server (Data Center)? 3. What security tools are hooking my process?

Priority 2: Stabilization (Persistence)

Your initial shell is fragile. The user might reboot. The network might glitch. You need a lifeline.

But Persistence is Noise. Writing to the Registry (Run keys) or creating a Scheduled Task is risky.

Low-Noise Persistence: * DLL Hijacking: Find an application that tries to load a missing DLL. Place your beacon there. When the app runs, you run. * COM Hijacking: Abuse Userland COM objects. * Stay in Memory: If it's a server with 300 days uptime, maybe you don't need disk persistence. Just migrate to a stable process (like spoolsv.exe or explorer.exe - wait, don't use explorer.exe, it crashes too much).

Priority 3: Credential Material (The Loot)

We want to move laterally. We need tickets or hashes.

The "Mimikatz" Trap: Running sekurlsa::logonpasswords involves reading LSASS memory. EDRs guard LSASS like a dragon guards gold. Touching LSASS is an instant "High Severity" alert.

Better options: 1. SafetyKatz / BetterSafetyKatz: Run it from a sacrificial process, dump memory to a file, download the file, crack it offline. 2. Token Manipulation: If you are SYSTEM, steal the token of a Domain Admin who happens to have a process running. You don't need their password if you become them. 3. Browser Cookies: Chrome Cookies are the new Gold. Decrypt the Chrome DB, steal the session value for Okta/Slack/O365. Now you are in their cloud without touching AD.

Priority 4: Lateral Movement (Pivot)

Moving from Machine A to Machine B.

WinRM (Windows Remote Management) is your friend. It's legitimate traffic (Port 5985). PsExec is loud (creates a service). WMI is okay but watched.

SOCKS Proxies: Don't just run tools on the target. Setup a SOCKS proxy through your beacon. Run your tools (like impacket or browser traffic) on your machine, tunneled through the compromised host.

The Mental Model: "Assume You Are Watched"

Every command you type creates telemetry. * cmd.exe -> Process Create Event (4688). * powershell.exe -> Script Block Logging (4104). * net.exe -> Argument logging.

Ask yourself before hitting Enter: "Is this command normal for this user?"

If Bob from Accounting suddenly runs whoami /priv and tries to RDP into the Domain Controller, the SOC is going to have a fun afternoon. If Bob opens an Excel file and browses to an internal SharePoint site, nobody blinks.

Be Bob. Until you are ready to be System.