Post-Exploitation

Post-Ex Tools

Keep your tools off the target host as much as possible

• Mimikatz logonpasswords

  • Dump LSASS manually

  • Exfiltrate the dump without touching disk and run mimikatz locally

• Network tools e .g. impacket, responder

  • Run through the C2's SOCKS proxy

• Avoid post-ex tooling to disk

  • Run in memory - BOF or execute-assembly

Avoid powershell based tools

• C# alternatives can be executed in memory

• Unmanaged powershell if you absolutely have to, but it's still not considered OPSEC safe