Post-Exploitation

Post-Ex Tools

Keep your tools off the target host as much as possible

  • Mimikatz logonpasswords

    • Dump LSASS manually

    • Exfiltrate the dump without touching disk and run mimikatz locally

  • Network tools e .g. impacket, responder

    • Run through the C2's SOCKS proxy

  • Avoid post-ex tooling to disk

    • Run in memory - BOF or execute-assembly

Avoid powershell based tools

  • C# alternatives can be executed in memory

  • Unmanaged powershell if you absolutely have to, but it's still not considered OPSEC safe

PreviousLateral MovementNextExfiltration

Last updated