Post-Exploitation Techniques
Post-exploitation encompasses the full range of adversarial actions performed after an attacker has achieved initial access to a target system — the phase where a foothold becomes leverage. This reference covers the definition, structural mechanics, classification boundaries, and professional framing of post-exploitation as it appears in authorized penetration testing engagements, threat modeling, and compliance-driven security assessments across the United States. Understanding this phase is essential for organizations seeking to evaluate the true blast radius of a successful compromise, beyond the initial entry point.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
- References
Definition and scope
Post-exploitation is the operational phase of a penetration test or adversarial simulation that begins immediately after successful exploitation of a vulnerability and extends through all subsequent attacker activity within the compromised environment. The phase is formally defined within the Penetration Testing Execution Standard (PTES) as the collection of activities — including host enumeration, privilege escalation, lateral movement, persistence establishment, data exfiltration, and anti-forensic action — that determine the practical consequence of a breach.
The scope of post-exploitation in authorized testing is bounded by the rules of engagement documented prior to the engagement. NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, frames penetration testing as a process that includes both exploitation and post-exploitation phases, with the latter used to demonstrate the full attack path and the data or systems that a real adversary could reach. The Computer Fraud and Abuse Act (18 U.S.C. § 1030) creates the legal boundary: post-exploitation activity performed without explicit written authorization exposes practitioners to federal criminal liability, regardless of whether exploitation itself was authorized. This makes authorization documentation a non-negotiable prerequisite for any post-exploitation work.
Post-exploitation applies across all major testing domains — network infrastructure, web applications, cloud environments, and operational technology systems. The specific techniques available differ substantially between these environments, but the phase structure remains consistent: establish a stable foothold, enumerate the local and domain environment, escalate access, move laterally, and assess the impact of sustained access.
Core mechanics or structure
Post-exploitation is not a single technique but a structured sequence of capability categories that collectively simulate the dwell time and damage potential of an advanced threat actor. The MITRE ATT&CK framework, maintained by the MITRE Corporation and widely referenced by the Cybersecurity and Infrastructure Security Agency (CISA), catalogs these capabilities across 14 tactic categories applicable to enterprise environments.
Host enumeration and situational awareness is the immediate first step after gaining access. This involves identifying the operating system version, installed software, running processes, network interfaces, logged-on users, and local security controls. Tools such as native OS commands (whoami, ipconfig, netstat) or dedicated post-exploitation frameworks provide this data without generating large volumes of anomalous traffic.
Privilege escalation is the process of elevating from a low-privilege account to a higher-privilege one — typically local administrator, SYSTEM on Windows, or root on Linux/Unix systems. Techniques include kernel exploits, misconfigured service permissions, unquoted service paths, stored credential abuse, and token impersonation. Privilege escalation is one of the highest-signal findings in any authorized engagement because it directly demonstrates that an attacker can acquire administrative control from an ordinary user session.
Persistence mechanisms allow a simulated attacker to survive reboots and maintain access across detection events. Registry run keys, scheduled tasks, WMI subscriptions, cron jobs, SSH authorized keys, and startup folder entries are the primary persistence classes cataloged in ATT&CK under the Persistence tactic (TA0003).
Credential access targets stored, cached, or transmitted authentication material. Techniques include LSASS memory dumping (e.g., via Mimikatz), NTLM hash extraction, SAM database access, browser credential stores, and Kerberoasting against Active Directory service accounts.
Lateral movement uses the credentials, tokens, or trust relationships obtained on the compromised host to access additional systems within the environment. Pass-the-Hash, Pass-the-Ticket, remote service exploitation, and abuse of legitimate remote administration protocols (RDP, WinRM, SSH) are the primary vectors.
Data collection and exfiltration simulation demonstrates what sensitive information — personally identifiable information, intellectual property, credentials, or regulated data — is accessible and whether it can be transmitted outside the network boundary. In authorized engagements, actual exfiltration is typically simulated using test files with agreed-upon markers rather than genuine sensitive data.
Anti-forensic and evasion activity mirrors what real adversaries do to extend dwell time: clearing event logs, timestomping files, disabling endpoint detection agents, and using encrypted channels for command-and-control (C2) communication.
Causal relationships or drivers
The demand for thorough post-exploitation testing is driven by regulatory requirements, threat intelligence findings, and the structural gap between detection capability and attacker dwell time.
Regulatory frameworks are a primary driver. PCI DSS v4.0, Requirement 11.4 mandates penetration testing that includes exploitation and post-exploitation assessment of the cardholder data environment. HIPAA Security Rule risk analysis requirements (45 CFR § 164.308(a)(1)) incentivize covered entities to assess the potential impact of unauthorized access — a standard post-exploitation testing directly addresses. FedRAMP continuous monitoring requirements for cloud service providers reference NIST SP 800-53 controls that assume adversarial actors may already be present inside the authorization boundary.
Threat intelligence findings from organizations including CISA and the FBI Internet Crime Complaint Center (IC3) consistently show that the gap between initial compromise and detection — sometimes called dwell time — extends for weeks or months in enterprise environments. Dwell time gives real adversaries time to perform exactly the post-exploitation activities that authorized testers simulate. Testing this phase reveals whether detection controls, segmentation, and least-privilege implementations would actually contain a real intrusion.
The increasing prevalence of red team operations as a testing modality reflects organizational recognition that post-exploitation realism is more operationally valuable than point-in-time vulnerability enumeration. Red team engagements, by design, weight post-exploitation activity heavily.
Classification boundaries
Post-exploitation techniques fall into distinct classification categories based on their objective, required access level, and the stage at which they occur.
By access level required:
- Local user access — host enumeration, local credential access, local privilege escalation
- Local administrator / root access — credential dumping, persistence installation, full host control
- Domain user access — domain enumeration, Kerberoasting, lateral movement via legitimate protocols
- Domain administrator access — domain-wide persistence, Golden Ticket attacks, forest-level compromise
By target environment:
- Windows Active Directory environments — the most technique-dense category, heavily documented in ATT&CK
- Linux/Unix environments — sudo misconfiguration exploitation, cron-based persistence, SUID binary abuse
- Cloud environments — IAM role abuse, instance metadata service exploitation, storage access key extraction (see cloud penetration testing)
- OT/SCADA environments — protocol-level enumeration, historian database access, HMI manipulation (see SCADA/ICS penetration testing)
By engagement type:
- Standard penetration test post-exploitation — follows structured PTES phases with defined stop conditions
- Red team post-exploitation — objective-based, may extend over days or weeks, mimics APT dwell patterns
- Purple team post-exploitation — performed collaboratively with the defensive team to validate detection coverage (see purple team testing)
Tradeoffs and tensions
Post-exploitation testing generates significant tension between operational realism and operational risk.
Realism vs. disruption: Authentic post-exploitation activity — privilege escalation, credential dumping, lateral movement — carries a non-trivial risk of disrupting production systems, triggering endpoint protection lockouts, or corrupting active user sessions. The more realistic the simulation, the higher the probability of unintended side effects. Engagements must define specific controls around actions such as rebooting compromised hosts, modifying Active Directory objects, or touching production databases.
Completeness vs. scope creep: Post-exploitation naturally expands the attack surface being evaluated. A tester who pivots from a compromised workstation to a database server is now testing that database server — potentially outside the original scope. Scope documentation for rules of engagement must explicitly define whether lateral movement destinations require separate authorization.
Persistence realism vs. cleanup risk: Installing persistence mechanisms (e.g., registry run keys, scheduled tasks) to simulate long-term attacker access requires reliable removal at engagement close. Incomplete cleanup can leave operational security artifacts that interfere with future incident response exercises or trigger false-positive alerts months after testing concludes.
Detection evasion vs. blue team visibility: Engagements that prioritize stealth to avoid detection may not generate the telemetry that blue teams need to evaluate their detection coverage. The tradeoff between testing attacker capability (stealth) and testing defender capability (detection) is a structural design choice that shapes the entire post-exploitation phase.
Common misconceptions
Misconception: Post-exploitation is optional or supplementary.
Post-exploitation is not an add-on. PTES frames it as a mandatory phase. NIST SP 800-115 explicitly distinguishes penetration testing from vulnerability scanning by the requirement to pursue exploitation and assess its downstream consequences. An engagement that stops at successful exploitation without post-exploitation analysis does not demonstrate actual organizational risk.
Misconception: Credential dumping always requires physical access or malware.
LSASS credential extraction, SAM database access, and Kerberoasting are achievable through legitimate administrative interfaces and built-in OS features. Mimikatz-based credential access, for example, requires only local administrator privileges on a Windows host — a condition frequently achieved through routine privilege escalation.
Misconception: Post-exploitation findings only matter for large enterprises.
Active Directory misconfigurations, unpatched privilege escalation vectors, and weak credential policies affect organizations of all sizes. Penetration testing for small business engagements routinely surface post-exploitation paths that allow a single compromised workstation to yield full domain takeover.
Misconception: Successful post-exploitation means the security program has failed.
The purpose of authorized post-exploitation is precisely to find these paths before adversaries do. A finding that a domain administrator credential was accessible through an LSASS dump is a remediation opportunity, not a program failure. Failure is discovering this through a real incident.
Misconception: All post-exploitation activity is detected by modern EDR solutions.
Endpoint detection and response (EDR) tools miss a meaningful percentage of post-exploitation techniques, particularly those using living-off-the-land binaries (LOLBins) — legitimate system tools repurposed for malicious activity. CISA's advisory documentation consistently notes that LOLBin abuse is among the least-detected attacker technique categories in enterprise environments.
Checklist or steps (non-advisory)
The following represents the standard post-exploitation phase sequence as documented in the Penetration Testing Execution Standard (PTES) and consistent with MITRE ATT&CK tactic ordering. This is a reference structure, not procedural guidance for any specific engagement.
Post-Exploitation Phase Reference Sequence
- [ ] Confirm exploitation success and document the access level achieved (user, admin, SYSTEM/root)
- [ ] Perform host-level enumeration: OS version, patch level, running processes, installed software, network interfaces, local users and groups
- [ ] Identify and document security controls present: AV/EDR agents, host-based firewall rules, application whitelisting policies
- [ ] Assess privilege escalation paths: misconfigured services, kernel version exposure, stored credentials, token privileges
- [ ] Escalate privilege if possible; document the escalation vector and resulting access level
- [ ] Extract available credentials: cached credentials, LSASS memory, SAM database, browser stores, configuration files
- [ ] Enumerate the domain or directory environment (where applicable): domain controllers, domain admins, Kerberoastable accounts, GPO configurations, trust relationships
- [ ] Identify lateral movement paths: reachable hosts, shared credentials, accessible remote management interfaces
- [ ] Simulate lateral movement to in-scope secondary targets; document each hop and the technique used
- [ ] Assess persistence options available at current privilege level; document (do not install unless explicitly authorized in the rules of engagement)
- [ ] Identify data stores accessible at current privilege level: databases, file shares, email, regulated data repositories
- [ ] Simulate data exfiltration using test markers (not production data); document whether outbound data transfer is possible and through which channels
- [ ] Assess anti-forensic opportunities: event log access, logging gaps, potential for log clearing
- [ ] Document all artifacts created during post-exploitation for complete cleanup at engagement close
- [ ] Compile evidence packages: screenshots, command output logs, hash captures, network traffic captures where authorized
Reference table or matrix
| Technique Category | ATT&CK Tactic | Minimum Access Required | Primary Target Environments | Key Detection Signal |
|---|---|---|---|---|
| Host enumeration | Discovery (TA0007) | Local user | All | Native command execution from non-standard parent process |
| Privilege escalation — service misconfiguration | Privilege Escalation (TA0004) | Local user | Windows | Service control manager events (Event ID 7045) |
| Privilege escalation — kernel exploit | Privilege Escalation (TA0004) | Local user | Windows, Linux | Unexpected kernel module load; crash dumps |
| LSASS credential dumping | Credential Access (TA0006) | Local administrator | Windows | LSASS memory access by non-system process (Sysmon Event ID 10) |
| Kerberoasting | Credential Access (TA0006) | Domain user | Windows AD | Kerberos TGS requests for RC4-encrypted tickets (Event ID 4769) |
| Pass-the-Hash | Lateral Movement (TA0008) | Local administrator | Windows | NTLM authentication events from unexpected source IPs |
| Pass-the-Ticket | Lateral Movement (TA0008) | Domain user | Windows AD | Kerberos ticket anomalies; unusual logon types |
| Registry run key persistence | Persistence (TA0003) | Local administrator | Windows | Registry modification events (Sysmon Event ID 13) |
| Scheduled task persistence | Persistence (TA0003) | Local administrator | Windows, Linux | Task Scheduler events (Event ID 4698); cron modification |
| WMI subscription persistence | Persistence (TA0003) | Local administrator | Windows | WMI activity logs; abnormal WMI provider host execution |
| IAM role abuse | Privilege Escalation, Lateral Movement | Cloud user credentials | AWS, Azure, GCP | CloudTrail AssumeRole events; unusual API call patterns |
| LOLBin C2 staging | Command and Control (TA0011) | Any | Windows | Unsigned script execution; encoded PowerShell; certutil outbound |
| Log clearing | Defense Evasion (TA0005) | Local administrator | All | Event log service stops; Security log cleared (Event ID 1102) |
ATT&CK tactic codes reference the MITRE ATT&CK Enterprise Matrix. Windows Event IDs reference Microsoft's official event documentation.
The exploitation techniques overview provides the preceding phase context for this sequence, while the penetration testing methodology page covers how post-exploitation fits within the full engagement lifecycle. Practitioners selecting tooling for post-exploitation work will find the penetration testing tools and Metasploit Framework overview pages relevant to this phase.
References
- NIST SP 800-115, Technical Guide to Information Security Testing and Assessment — National Institute of Standards and Technology
- MITRE ATT&CK Enterprise Matrix — MITRE Corporation
- Penetration Testing Execution Standard (PTES) — Post-Exploitation phase documentation
- [CISA — Known Exploited Vulnerabilities Catalog and Advisories](https://www.cisa.gov/known-exploited-vulnerabilities-catalog