Chapter 24 Key Takeaways: Post-Exploitation and Pivoting

Core Concepts

1. Post-exploitation is where penetration tests deliver real value. Initial exploitation proves a vulnerability exists; post-exploitation demonstrates its actual business impact by tracing the path from a single foothold to critical assets.

2. Situational awareness comes first. Before taking any action on a compromised system, gather comprehensive information about the host, network, users, and environment. This reconnaissance shapes every subsequent decision.

3. Privilege escalation transforms access. Moving from a low-privilege user to root or SYSTEM access often determines whether engagement objectives are achievable. Both Linux and Windows offer numerous escalation vectors that must be systematically evaluated.

4. Persistence is a professional necessity with strict obligations. Multi-day engagements require persistent access, but every mechanism must be documented, secured with unique authentication, and completely removed during cleanup.

5. Pivoting extends reach into segmented networks. Tools like SSH tunneling, Chisel, and Ligolo-ng transform a compromised host into a bridge to otherwise inaccessible network segments. The choice of tool depends on available protocols, required functionality, and stealth requirements.

6. Lateral movement is credential-driven. Techniques such as Pass-the-Hash, Pass-the-Ticket, Kerberoasting, and ADCS abuse leverage harvested or forged credentials to compromise additional systems. Active Directory environments are especially vulnerable to credential-based lateral movement.

7. Data exfiltration demonstrates impact. Controlled exfiltration through channels like HTTPS, DNS tunneling, and cloud storage shows clients that their data protection controls can be bypassed, providing concrete evidence for remediation investment.

8. Cleanup is a non-negotiable professional obligation. Every tool, backdoor, modified configuration, and created account must be removed and documented. Inadequate cleanup can leave the client less secure than before the engagement.

9. Ethical boundaries are absolute. Never access real sensitive data, never exceed the authorized scope, and always prioritize system stability. Demonstrate access without handling actual confidential information.

10. Documentation drives value. The attack narrative -- tracing the path from initial access through pivoting and lateral movement to critical assets -- is the most valuable component of the penetration test report. Document every step in real time.

Defensive Priorities

• Implement network segmentation with deny-by-default rules and microsegmentation to contain lateral movement
• Deploy EDR on all endpoints and monitor for persistence indicators such as new scheduled tasks, registry modifications, and unusual service installations
• Use credential tiering (LAPS, privileged access workstations, Credential Guard) to limit credential harvesting and lateral movement
• Monitor data flows for exfiltration indicators (DNS anomalies, beaconing patterns, large outbound transfers to unusual destinations)
• Adopt Zero Trust architecture to verify every access request regardless of network location or prior authentication
• Enable comprehensive logging and monitoring, especially Windows security event logs (4624, 4625, 4672, 4768, 4769, 7045)
• Implement application whitelisting and PowerShell constrained language mode to limit LOLBin abuse and fileless attack techniques
• Conduct regular purple team exercises where offensive and defensive teams collaborate to identify detection gaps in post-exploitation scenarios

Key Tools and Techniques Summary