Post-Exploitation and Lateral Movement
A foothold on one machine is rarely the goal; the attacker's real objective usually lives elsewhere, so they establish persistence, escalate privilege, harvest credentials, and move sideways to reach it. This post-exploitation phase is where a contained incident becomes a full breach — and where good segmentation, least privilege, and detection pay off most.
This topic follows the intruder from Meridian's first foothold toward the customer database, marking every place a defender can break the chain, and setting up the detection and response of Chapters 10 and 11.
Persistence and Command-and-Control
The attacker plants a way back — a service, a scheduled task, a web shell — and a command-and-control channel, often tunnelled over HTTPS to blend in with normal traffic. Egress control (Chapter 4) and endpoint detection (Chapters 7 and 10) are the counters: a foothold that cannot open an outbound channel to an arbitrary address, and whose new persistence entry trips an alert, is a foothold that does not become a breach.
Credential Harvesting
Dumping cached credentials, tokens, and hashes from the foothold — from process memory, keychains, config files — gives the keys to move laterally without any further exploit. This is why local admin rights and cached domain credentials are so dangerous: harvest one privileged credential and the next host is reachable with a legitimate login, not an attack the IDS would catch.
Privilege Escalation and Lateral Movement
The attacker escalates locally (Chapter 7), then reuses harvested credentials to hop to the next host — pass-the-hash, a reused SSH key, an over-broad service account. Segmentation and least privilege decide how far this reaches: unique local credentials and scoped accounts mean a harvested credential unlocks one host, not the network, and every lateral hop crosses a control rather than a flat, trusting path.
Living Off the Land
Attackers prefer built-in tools — PowerShell, ssh, cloud CLIs — over custom malware, because they blend into normal administrative activity and evade signature detection. A service account suddenly running PowerShell to a host it has never touched is invisible to signatures but obvious to behavioral detection, which is why the detection chapter leans on behavior over signatures for exactly this phase.
The Intruder Reaches for Meridian's Database
Trace the concrete path: a foothold on a DMZ host, a harvested service credential, a hop to the app tier, an attempt on the customer database. Now overlay the controls: segmentation blocks the direct route, least privilege makes the harvested credential nearly useless, credential hygiene stops the reuse, and behavioral detection catches the anomalous lateral movement. Any one of them breaks the chain — which is the whole argument of Chapters 3, 4, 7, and 10.
Custom malware — adaptable, but new binaries and known tooling trip signatures and EDR.
Living off the land — legitimate admin tools (PowerShell, ssh, cloud CLIs) blend into normal activity and evade signatures, caught only by behavioral anomalies. Modern intrusions lean heavily on this.
- Flat networks and reused local-admin credentials, which turn one foothold into domain-wide compromise via credential reuse.
- Broad service accounts whose credentials, once harvested, unlock far more than the compromised host needed.
- Signature-only detection that misses living-off-the-land movement using legitimate tools.
- Unrestricted egress that lets command-and-control and exfiltration flow freely, so the attacker operates unobserved.
- Treating a single foothold as a contained incident without checking for persistence and lateral movement.
- Segment aggressively and apply least privilege so a foothold reaches little and every lateral hop crosses a control.
- Kill credential reuse — unique local-admin credentials, scoped service accounts, short-lived credentials — so harvested creds do not unlock the network.
- Detect behaviorally: unusual process lineage, a service account moving laterally, new C2 egress — not just known-bad signatures.
- Control egress and monitor east-west traffic so command-and-control and lateral movement are visible.
- On any foothold, hunt for persistence and signs of lateral movement rather than assuming it is contained.
Knowledge Check
Why is credential harvesting so dangerous once an attacker has a foothold?
- It lets the attacker move to other hosts with real logins
- It immediately encrypts the compromised host
- It automatically disables the host's firewall and antivirus
- It only works if the host has no antivirus
Why do attackers favor "living off the land" with built-in tools?
- Admin tools blend in and evade signature detection
- Built-in tools are more capable than any custom malware
- It is the only way to achieve persistence
- Legitimate tools cannot be logged at all
In the intruder's path to Meridian's database, why does breaking any single link stop the breach?
- Independent controls each sever the chain
- Only encrypting the database can stop the attack
- The chain can only be broken at the very first step
- Breaking a link merely slows the attacker but never stops them
You got correct