Post-Exploitation Techniques

Questions and Answers

Which Windows resource combines CMD functionality with a scripting/cmdlet instruction set for system administration?

• PowerShell (correct)
• Wsc2
• Socat
• Twittor

An attacker opens a listener on a compromised system, aiming to connect, execute commands, and manipulate the victim. What is this activity called?

• Reverse shell
• Bind shell (correct)
• Vertical privilege escalation
• Horizontal privilege escalation

Which lightweight tool is designed for creating bind and reverse shells from a compromised host?

• BloodHound
• Netcat (correct)
• WMImplant
• WSC2

A cybersecurity student wants to use Netcat to check which ports are open on a system. Which Netcat command should they use?

nc -z <IP address> <port range> (B)

Which Meterpreter command executes a list of Meterpreter commands from a text file to automate actions on a victim system?

resource (D)

Which two of the following resources are commonly used as C2 (Command and Control) utilities?

Empire (D), Socat (E)

What type of communication channel is generally created by a C2 server with a compromised system?

Command channel (C)

Which living-off-the-land technique allows for directory listings, file manipulation, process listing, and administrative task execution?

PowerShell (D)

Which open-source framework is designed for rapid deployment of post-exploitation modules, including keyloggers and reverse shells, while providing adaptable communication for evading detection?

Empire (C)

Which tool is a single-page JavaScript web application used for discovering complex attack paths within Microsoft Azure environments?

BloodHound (D)

Which utility is often used to automate administrative tasks on remote computers but can also be used by malware for malicious actions on compromised systems?

PowerShell (D)

Which Sysinternals tool is used by penetration testers to modify Windows registry values?

PsExec (C)

Which combination includes three tools often categorized as 'living-off-the-land' post-exploitation techniques?

Socat, WMImplant, WinRM (B)

An attacker uses the Windows command Enable-PSRemoting -SkipNetworkProfileCheck -Force. Which tool is being enabled?

WinRM (C)

What type of malicious activity occurs when a lower-privileged user gains access to functions reserved for higher-privileged accounts?

Vertical privilege escalation (A)

Flashcards

PowerShell

A Windows utility combining CMD functionality with a new scripting/cmdlet instruction set for system administration.

Bind Shell

An attacker opens a port or listener on a compromised system, awaiting an incoming connection to execute commands and manipulate the victim.

Netcat

A lightweight, portable tool for creating bind and reverse shells from a compromised host.

nc -nv <IP address> <Port>

This command connects to a specified TCP port using Netcat.

resource

This Meterpreter command executes Meterpreter commands listed in a text file, accelerating actions on the victim system.

Socat and Empire

Two C2 utilities that are used for command and control.

Covert Channel

A covert transmission path created by a C2 to communicate with compromised systems.

PowerShell

A technique that uses legitimate system tools to perform actions such as directory listings or file manipulation.

Empire

An open-source framework for deploying post-exploitation modules.

BloodHound

A single-page JavaScript web application used to find attack paths in Microsoft Azure environments.

WMI

A legitimate utility that can be used to automate administrative tasks on remote computers.

PsExec

Sysinternals tool used to modify Windows registry values and connect a compromised system to another system.

Privilege Escalation

The attacker gains unauthorized functions available only to higher-privileged users.

Steganography

A technique involving hiding data within other, non-suspicious files.

VLANS

A procedure to protect the network against lateral movement.

Study Notes

Performing Post-Exploitation Techniques

• PowerShell combines old CMD functionality with a new scripting/cmdlet instruction set for system administration.
• An attacker opening a port or listener on a compromised system to connect, execute commands, and manipulate the victim is performing a reverse shell attack.
• Netcat is a lightweight, portable tool that allows the creation of bind and reverse shells from a compromised host.
• The Netcat command nc -nv <IP address> <Port>is used to connect to a TCP port.
• The Meterpreter command used to execute Meterpreter commands from a text file is resource.
• C2 utilities include Socat and Empire.
• A C2 with a compromised system creates a covert channel.
• PowerShell enables directory listings, file copying, process listing, and administrative tasks.
• Empire is an open-source framework for rapidly deploying post-exploitation modules. It includes keyloggers, bind/reverse shells, and adaptable communication.
• Empire is a single-page JavaScript web application for finding attack paths in Microsoft Azure.
• WMI can write scripts/applications to automate tasks on remote computers and is used by malware.
• PsExec, a Sysinternals tool is used to modify Windows registry values and connect a compromised system to another.
• PowerSploit, Socat, and WinRM are living-off-the-land post-exploitation techniques.
• Enable-PSRemoting -SkipNetworkProfileCheck -Forcecommand enables WinRM.
• A lower-privileged user accessing functions reserved for higher-privileged users is performing vertical privilege escalation.
• The steghide tool obscures, evades, and covers attacker tracks.
• NIST SP 800-88 guides media sanitation after a penetration testing engagement.
• VLANs should be deployed to protect the network against lateral movement
• Remote Desktop gives a full, interactive GUI of the remote compromised computer.
• An attacking system with a listener and a victim initiating a connection describes a reverse shell.
• To use Netcat as a port scanner the command nc -z <IP address> <port range>is used.
• TrevorC2 and DNSCat2 are Python-based C2 utilities.
• WMImplant is a PowerShell-based C2 tool using WMI.
• Additional enumeration of users, groups, forests, sensitive data, and unencrypted files maintains persistence After the exploitation phase.
• Pwd and cat commands are the same in Meterpreter and Linux/Unix-based systems.