Post-Exploitation

Introduction

The Post-Exploitation stage aims to obtain sensitive and security-relevant information from a local perspective and business-relevant information that, in most cases, requires higher privileges than a standard user.
This stage includes the following components:
- Evasive Testing
- Information Gathering
- Pillaging
- Vulnerability Assessment
- Privilege Escalation
- Persistence
- Data Exfiltration

Evasive Testing

If a skilled administrator monitors the systems, any change or even a single command could trigger an alarm that will give us away. In many cases, we get kicked out of the network, and then threat hunting begins where we are the focus. We may also lose access to a host (that gets quarantined) or a user account (that gets temporarily disabled or the password changed).
This penetration test would have failed but succeeded in some ways because the client could detect some actions. We can provide value to the client in this situation by still writing up an entire attack chain and helping them identify gaps in their monitoring and processes where they did not notice our actions.
For us, we can study how and why the client detected us and work on improving our evasion skills.
Evasive testing is divided into three different categories:
- Evasive
- Hybrid Evasive
- Non-Evasive
This does not mean that we cannot use all three methods.

Information Gathering

Since we have gained a new perspective on the system and the network of our target system in the Exploitation stage, we are basically in a new environment.
In the Post-Exploitation stage, we go through the Information Gathering and Vulnerability Assessment stages again, which we can consider as parts of the current stage
From the inside (local) perspective, we have many more possibilities and alternatives to access certain information that is relevant to us.
The difference here is that we also enumerate the local network and local services such as printers, database servers, virtualization services, etc. Often we will find shares intended for employees to use to exchange and share data and files. The investigation of these services and network components is called Pillaging.

Pillaging

Pillaging is the stage where we examine the role of the host in the corporate network.
Understanding the role of the system we are on also gives us an excellent understanding of how it communicates with other network devices and its purpose.
From this, we can find out, for example, what alternative subdomains exist, whether it has multiple network interfaces, whether there are other hosts with which this system communicates, if admins are connecting to other hosts from it, and if we can potentially reuse credentials or steal an SSH key to further our access or establish persistence, etc.
During the pillaging stage, we will also hunt for sensitive data such as passwords on shares, local machines, in scripts, configuration files, password vaults, documents (Excel, Word, .txt files, etc.), and even email.
Our main goals with pillaging are to show the impact of successful exploitation and, if we have not yet reached the goal of the assessment, to find additional data such as passwords that can be inputs to other stages such as lateral movement.

Persistence

Once we have an overview of the system, our immediate next step is maintaining access to the exploited host. This way, if the connection is interrupted, we can still access it. This step is essential and often used as the first step before the Information Gathering and Pillaging stages.
We should follow non-standardized sequences because each system is individually configured by a unique administrator who brings their own preferences and knowledge.

Vulnerability Assessment

If we can maintain access and have a good overview of the system, we can use the information about the system and its services and any other data stored on it to repeat the Vulnerability Assessment stage, but this time from inside the system.
The goal we pursue next is the escalation of privileges (if not already in place).

Privilege Escalation

Privilege escalation is significant, and in most cases, it represents a critical moment that can open many more new doors for us.
Getting the highest possible privileges on the system or domain is often crucial. Therefore we want to get the privileges of the root (on Linux-based systems) or the domain administrator/local administrator/SYSTEM (on Windows-based systems) because this will often allow us to move through the entire network without any restrictions.
However, it is essential to remember that the escalation of privileges does not always have to occur locally on the system. We can also obtain stored credentials during the information gathering stage from other users who are members of a higher privileged group.

Data Exfiltration

During the Information Gathering and Pillaging stage, we will often be able to find, among other things, considerable personal information and customer data.
Some clients will want to check whether it is possible to exfiltrate this data. This means we try to transfer this information from the target system to our own.
Security systems such as Data Loss Prevention (DLP) and Endpoint Detection and Response (EDR) help detect and prevent data exfiltration.
In addition to Network Monitoring, many companies use encryption on hard drives to prevent external parties from viewing such information.
Before exfiltrating any actual data, we should check with the customer and our manager. It can often be enough to create some bogus data (such as fake credit card numbers or social security numbers) and exfiltrate it to our system. That way, the protection mechanisms that look for patterns in data leaving the network will be tested, but we will not be responsible for any live sensitive data on our testing machine.
Companies must adhere to data security regulations depending on the type of data involved.
It's a good habit to run a screen recording (along with taking screenshots) as additional evidence for such vital steps. If we only have terminal access, we can display the hostname, IP address, user name, and the corresponding path to the customer file and take a screenshot or screen capture. This helps us prove where the data originated from and that we could remove it from the environment successfully.
If sensitive data like this is found, our client should, of course, be informed immediately. Based on the fact that we could escalate the privileges and exfiltrate personal data, they may want to pause, end, or shift the focus of the penetration test, especially if data exfiltration was the primary goal.

PreviousExploitation NextLateral Movement

Last updated 3 months ago

Introduction

The Post-Exploitation stage aims to obtain sensitive and security-relevant information from a local perspective and business-relevant information that, in most cases, requires higher privileges than a standard user.

This stage includes the following components:

Evasive Testing
Information Gathering
Pillaging
Vulnerability Assessment
Privilege Escalation
Persistence
Data Exfiltration

Evasive Testing

If a skilled administrator monitors the systems, any change or even a single command could trigger an alarm that will give us away. In many cases, we get kicked out of the network, and then threat hunting begins where we are the focus. We may also lose access to a host (that gets quarantined) or a user account (that gets temporarily disabled or the password changed).

This penetration test would have failed but succeeded in some ways because the client could detect some actions. We can provide value to the client in this situation by still writing up an entire attack chain and helping them identify gaps in their monitoring and processes where they did not notice our actions.

For us, we can study how and why the client detected us and work on improving our evasion skills.

Evasive testing is divided into three different categories:

Evasive
Hybrid Evasive
Non-Evasive

This does not mean that we cannot use all three methods.

Information Gathering

Since we have gained a new perspective on the system and the network of our target system in the Exploitation stage, we are basically in a new environment.

In the Post-Exploitation stage, we go through the Information Gathering and Vulnerability Assessment stages again, which we can consider as parts of the current stage

From the inside (local) perspective, we have many more possibilities and alternatives to access certain information that is relevant to us.

The difference here is that we also enumerate the local network and local services such as printers, database servers, virtualization services, etc. Often we will find shares intended for employees to use to exchange and share data and files. The investigation of these services and network components is called Pillaging.

Pillaging

Pillaging is the stage where we examine the role of the host in the corporate network.

Understanding the role of the system we are on also gives us an excellent understanding of how it communicates with other network devices and its purpose.

From this, we can find out, for example, what alternative subdomains exist, whether it has multiple network interfaces, whether there are other hosts with which this system communicates, if admins are connecting to other hosts from it, and if we can potentially reuse credentials or steal an SSH key to further our access or establish persistence, etc.

During the pillaging stage, we will also hunt for sensitive data such as passwords on shares, local machines, in scripts, configuration files, password vaults, documents (Excel, Word, .txt files, etc.), and even email.

Our main goals with pillaging are to show the impact of successful exploitation and, if we have not yet reached the goal of the assessment, to find additional data such as passwords that can be inputs to other stages such as lateral movement.

Persistence

Once we have an overview of the system, our immediate next step is maintaining access to the exploited host. This way, if the connection is interrupted, we can still access it. This step is essential and often used as the first step before the Information Gathering and Pillaging stages.

We should follow non-standardized sequences because each system is individually configured by a unique administrator who brings their own preferences and knowledge.

Vulnerability Assessment

If we can maintain access and have a good overview of the system, we can use the information about the system and its services and any other data stored on it to repeat the Vulnerability Assessment stage, but this time from inside the system.

The goal we pursue next is the escalation of privileges (if not already in place).

Privilege Escalation

Privilege escalation is significant, and in most cases, it represents a critical moment that can open many more new doors for us.

Getting the highest possible privileges on the system or domain is often crucial. Therefore we want to get the privileges of the root (on Linux-based systems) or the domain administrator/local administrator/SYSTEM (on Windows-based systems) because this will often allow us to move through the entire network without any restrictions.

However, it is essential to remember that the escalation of privileges does not always have to occur locally on the system. We can also obtain stored credentials during the information gathering stage from other users who are members of a higher privileged group.

Data Exfiltration

During the Information Gathering and Pillaging stage, we will often be able to find, among other things, considerable personal information and customer data.

Some clients will want to check whether it is possible to exfiltrate this data. This means we try to transfer this information from the target system to our own.

Security systems such as Data Loss Prevention (DLP) and Endpoint Detection and Response (EDR) help detect and prevent data exfiltration.

In addition to Network Monitoring, many companies use encryption on hard drives to prevent external parties from viewing such information.

Before exfiltrating any actual data, we should check with the customer and our manager. It can often be enough to create some bogus data (such as fake credit card numbers or social security numbers) and exfiltrate it to our system. That way, the protection mechanisms that look for patterns in data leaving the network will be tested, but we will not be responsible for any live sensitive data on our testing machine.

Companies must adhere to data security regulations depending on the type of data involved.

It's a good habit to run a screen recording (along with taking screenshots) as additional evidence for such vital steps. If we only have terminal access, we can display the hostname, IP address, user name, and the corresponding path to the customer file and take a screenshot or screen capture. This helps us prove where the data originated from and that we could remove it from the environment successfully.

If sensitive data like this is found, our client should, of course, be informed immediately. Based on the fact that we could escalate the privileges and exfiltrate personal data, they may want to pause, end, or shift the focus of the penetration test, especially if data exfiltration was the primary goal.