Let’s assume we successfully exploited the target system during the Exploitation stage. As with the Exploitation stage, we must again consider whether or not to utilize Evasive Testing in the Post-Exploitation stage. We are already on the system in the post-exploitation phase, making it much more difficult to avoid an alert. The Post-Exploitation stage aims to obtain sensitive and security-relevant information from a local perspective and business-relevant information that, in most cases, requires higher privileges than a standard user. This stage includes the following components:
| Evasive Testing | Information Gathering |
|---|---|
| Pillaging | Vulnerability Assessment |
| Privilege Escalation | Persistence |
| Data Exfiltration | |
| ![[Pasted image 20250903143034.png]] |
Evasive Testing
-> Evasive testing focuses on avoiding detection while simulating real attackers. Skilled admins or security tools may flag even simple commands, leading to lost access, quarantined hosts, or disabled accounts. While this might seem like a failed test, it’s still valuable since it shows defenses are working and helps us highlight blind spots where activity went unnoticed. We can also learn from mistakes like using untested payloads or obvious commands that trigger EDR alerts. Testing can be Evasive (Stealth-focused), Non-Evasive (intrusive, full attack simulation), or Hybrid-Evasive (a mix often targeting specific systems). Using all three approaches gives clients the best picture both detection effectiveness and hidden weaknesses
Pillaging
Pillaging is the stage where we examine the role of the host in the corporate network. We analyze the network configurations, including but not limited to:
| Interfaces | Routing | DNS |
|---|---|---|
| ARP | Services | VPN |
| IP Subnets | Shares | Network Traffic |
| -> By analyzing a system’s role, connections, and policies, we can uncover network structure, weak configurations, and opportunities for creds reuse or persistence. In the pillaging stage, we search for sensitive data to show impact of exploitation and, if needed, gather inputs for further actions like lateral movement |
Data Exfiltration
| Type of Information | Security Regulation |
|---|---|
| Credit Card Account Information | Payment Card Industry (PCI) |
| Electronic Patient Health Information | Health Insurance Portability and Accountability Act (HIPAA) |
| Consumers Private Banking Information | Gramm-Leach-Bliley (GLBA) |
| Government Information | Federal Information Security Management Act of 2002 (FISMA) |