Post-Compromise Activities

1 min read Security Careers & Certifications

Post-Compromise Activities

Domain data pillaging targets intellectual property and sensitive information across network shares. Automated tools spider accessible shares identifying interesting files through keywords and patterns. PowerView's Invoke-ShareFinder and Invoke-FileFinder accelerate discovery. Focus on executive shares, IT directories, and backup locations for maximum impact.

Credential harvesting from domain controllers extracts all domain password hashes for offline cracking. DCSync attacks use replication protocols to retrieve hashes without touching disk. Volume Shadow Copy extraction provides offline access to NTDS.dit files. Cracked passwords enable business email compromise and further lateral movement.

Persistence establishment ensures continued access despite remediation efforts. Multiple persistence methods across different systems prevent single-point failures. Combine golden tickets, ACL modifications, and compromised service accounts. Document all persistence mechanisms for demonstration purposes while maintaining operational security.