Chapter 24 Further Reading: Post-Exploitation and Pivoting

Essential Books

"Red Team Development and Operations" by Joe Vest and James Tubberville A comprehensive guide to red team operations that covers post-exploitation methodology in depth. The book presents a structured approach to planning, executing, and reporting on advanced adversary simulations, with extensive coverage of persistence, lateral movement, and command and control.

"The Hacker Playbook 3: Practical Guide to Penetration Testing" by Peter Kim The third edition of this practical series includes dedicated chapters on post-exploitation, pivoting, and lateral movement. The hands-on approach with step-by-step lab exercises makes it particularly valuable for developing practical skills.

"Penetration Testing: A Hands-On Introduction to Hacking" by Georgia Weidman A thorough introduction to penetration testing that covers post-exploitation with Meterpreter, pivoting techniques, and credential harvesting. The book provides a solid foundation for those new to post-exploitation concepts.

"Active Directory Attacks and Defense" by Sean Metcalf (ADSecurity.org) While not a traditional book, Sean Metcalf's extensive collection of blog posts and presentations on ADSecurity.org is the definitive resource for Active Directory post-exploitation. Covers Kerberoasting, Golden/Silver Tickets, ADCS attacks, and delegation abuse.

Academic and Industry Papers

"SolarWinds Supply Chain Attack: The Hacker Perspective" -- CISA Analysis (2021) The Cybersecurity and Infrastructure Security Agency's technical analysis of the SolarWinds attack provides detailed documentation of APT29's post-exploitation techniques, including the Golden SAML attack and on-premises-to-cloud pivoting.

"MITRE ATT&CK Framework: Post-Exploitation Tactics" MITRE's ATT&CK framework catalogs post-exploitation techniques under multiple tactics (Persistence, Privilege Escalation, Lateral Movement, Collection, Exfiltration, Command and Control). The online knowledge base at attack.mitre.org is an indispensable reference for understanding adversary behavior.

"Certified Red Team Operator (CRTO) Course Materials" by Zero-Point Security The CRTO curriculum covers Cobalt Strike operations, Active Directory post-exploitation, and advanced pivoting techniques. Available at zero-point-security.com.

Online Resources and Tools

Ligolo-ng Documentation and Tutorials The official Ligolo-ng repository (github.com/nicocha30/ligolo-ng) includes documentation and community tutorials for advanced pivoting scenarios including double pivoting and multi-listener configurations.

Chisel Project Repository The Chisel GitHub repository (github.com/jpillora/chisel) provides usage examples for various tunneling configurations. Community blog posts extending the official documentation are widely available.

HackTricks — Post-Exploitation Section book.hacktricks.xyz maintains an extensive, community-maintained reference covering post-exploitation techniques for Linux, Windows, and cloud environments. Regularly updated with new techniques and tool usage.

PayloadsAllTheThings The PayloadsAllTheThings GitHub repository (swisskyrepo/PayloadsAllTheThings) provides comprehensive cheat sheets for privilege escalation, persistence, lateral movement, and pivoting on multiple platforms.

SpecterOps Blog The SpecterOps team regularly publishes research on advanced post-exploitation techniques, particularly for Active Directory environments. Their work on ADCS abuse (Certify, Certipy), BloodHound, and adversary simulation is widely referenced.

Training Platforms

Hack The Box Pro Labs (RastaLabs, Offshore, Cybernetics) HTB Pro Labs provide realistic Active Directory environments specifically designed for practicing post-exploitation, lateral movement, and pivoting in multi-domain, multi-forest configurations.

TryHackMe Post-Exploitation Paths TryHackMe offers learning paths covering Metasploit post-exploitation, Active Directory lateral movement, pivoting, and data exfiltration in guided, progressively challenging environments.

PentesterLab PentesterLab provides exercises covering credential attacks, token manipulation, and privilege escalation in both web and infrastructure contexts.

SANS SEC560: Network Penetration Testing and Ethical Hacking SANS SEC560 covers post-exploitation methodology as part of its comprehensive penetration testing curriculum, with hands-on labs in realistic enterprise environments.

Community and Conferences

DEF CON and Black Hat Presentations Annual DEF CON and Black Hat conferences regularly feature presentations on novel post-exploitation techniques, C2 framework development, and lateral movement research. Presentation videos and papers are freely available online.

SANS Pen Test HackFest A conference focused specifically on penetration testing, with workshops and talks covering current post-exploitation techniques and tool development.

BloodHound Community The BloodHound project (github.com/BloodHoundAD) and its community provide resources for Active Directory attack path analysis. Understanding BloodHound is essential for efficient lateral movement in AD environments.

For readers new to post-exploitation, the following learning sequence is recommended:

  1. Start with Georgia Weidman's book for foundational concepts
  2. Practice basic pivoting on TryHackMe or Hack The Box free machines
  3. Study the MITRE ATT&CK framework for systematic technique understanding
  4. Progress to HackTricks and PayloadsAllTheThings for technique references
  5. Advance to HTB Pro Labs for realistic multi-host environments
  6. Study SpecterOps research for advanced Active Directory techniques
  7. Explore C2 frameworks (Sliver, Mythic) for professional tool familiarity