Post-Exploitation: Privilege Escalation, Lateral Movement & Persistence
In one line: The first foothold is almost never the prize — post-exploitation is the inward journey from that beachhead: escalating to higher privileges, moving laterally to more valuable systems, and (for a red team) establishing persistence — and because every step generates signals, this phase is the real test of the defenders' ability to detect and respond.
Post-exploitation goes deeper into a target, so it's where scope discipline matters most — it's easy to follow a pivot into an out-of-bounds system. Stay in scope, prefer the least-intrusive technique that demonstrates impact, and (for persistence) document and cleanly remove anything you install. This lesson is conceptual: what attackers do after a breach, so you can detect, defend, and assess impact — not an operational toolkit.
Movies end at "I'm in!" — but for a real attacker, getting in is the beginning. You rarely land on the crown jewels directly; you land on some low-value, weakly-defended thing (a forgotten server, a regular user's account) and then have to work your way toward what you actually want. That inward journey has three classic moves. Privilege escalation: going from a limited account to an administrator on the machine you landed on (vertical) or to another user (horizontal). Lateral movement: hopping from the first compromised machine to others deeper in the network, toward the valuable systems. Persistence: installing a way to get back in even if your initial hole is patched or the machine reboots. Here's the defender's silver lining, and the whole reason red teams focus here: every one of these moves leaves traces. An attacker who's "in" still has to be quiet, and this noisy phase is exactly where good monitoring catches them. This lesson is the attacker's post-breach playbook — taught so you can see it coming.
Why the first foothold isn't the goal
Recall least privilege and blast radius: a well-designed system means the thing an attacker first compromises can reach very little. So initial access — a phished user, an exploited public-facing app, a leaked low-priv credential — typically lands the attacker somewhere unimportant. The value is elsewhere, behind more boundaries. Post-exploitation is the work of crossing those internal boundaries:
Initial foothold ──▶ escalate privilege ──▶ move laterally ──▶ reach objective
(low-value, weak) (become admin/root) (hop to better (crown jewels:
systems) data, domain admin)
└──────────── often loops: each new host → recon → escalate → move ──────────┘
This is chaining at the infrastructure level, and it loops: each newly compromised host is re-conned for credentials and connections that enable the next hop.
- Privilege escalation — gaining higher rights than you started with: vertical (user → admin/root) or horizontal (one account → another's).
- Lateral movement — pivoting from one compromised system to others within the network.
- Pivoting — using a compromised host as a stepping-stone/relay to reach systems you couldn't reach directly.
- Persistence — establishing a durable way back in that survives reboots, password changes, or the original hole being patched (a backdoor, a scheduled task, an added account).
- Credential harvesting — collecting passwords, hashes, tokens, or keys from a compromised host to enable the next hop.
- Living off the land (LOTL) — using the system's own legitimate, built-in tools (admin utilities, scripting) instead of obvious malware, to blend in and evade detection.
- C2 (Command and Control) — the channel an attacker uses to control compromised hosts.
- Exfiltration — stealing data out of the target environment.
Privilege escalation: becoming more
Having landed as a limited user, the attacker tries to gain higher rights on that host. The common levers map directly to defensive failures you've met:
- Missing patches — a known local-privilege-escalation vulnerability in the OS/software lets a user become root/admin. (Defense: patch.)
- Misconfigurations — over-permissive file permissions, services running as root that a user can influence, writable scripts that privileged processes run. (Defense: least privilege, hardening.)
- Harvested credentials — passwords/keys/tokens left on the host (in files, memory, config) that belong to higher-privileged accounts. (Defense: secrets hygiene, credential isolation.)
Each escalation is a defense-in-depth layer failing — which is why defenders layer: to make escalation hard at every step.
Lateral movement: hopping toward the prize
With elevated rights and harvested credentials, the attacker moves to other systems. The dominant technique in real breaches is simply reusing harvested credentials — a password or token found on host A logs into host B. This is why a flat, internally-trusting network is so dangerous: one foothold + reused credentials = the whole estate.
- Foothold: A phished employee's laptop — low value on its own.
- Escalate: A missing patch lets the attacker gain local admin on the laptop.
- Harvest: With local admin, they extract cached credentials from memory — including a powerful service account that was used on this machine.
- Move laterally: That service account's password works on a file server (credential reuse across the flat internal network).
- Repeat: The file server yields more credentials, eventually an administrator account for the central identity system — and now the attacker controls everything.
Notice: not one step needed an exotic exploit. It was escalate → harvest → reuse → repeat, exploiting flat trust and credential sprawl. This is how the majority of serious internal breaches actually unfold — and why zero-trust (verify every access, even internal) and credential hygiene are such high-value defenses: they break the chain at the lateral-movement step.
Persistence: keeping the way in
A red team emulating a real adversary wants access that survives — a reboot, a password reset, even the original vulnerability being patched. Persistence mechanisms (a backdoor account, a scheduled task that re-establishes C2, a malicious service) provide this. It mirrors the real-world reality that sophisticated attackers (APTs) often dwell in networks for months undetected. For a pentest focused on breadth, persistence may be out of scope; for a red team testing detection, it's central — and anything installed must be documented and removed afterward.
The defender's gift: this phase is noisy
Here is the strategic point that makes post-exploitation matter to defenders. Initial access can be quiet, but the inward journey is loud — it generates signals all over:
- Privilege escalation → unusual privileged-process behavior.
- Credential harvesting → suspicious access to credential stores/memory.
- Lateral movement → a workstation suddenly authenticating to servers it never touches; logins at odd hours from odd places.
- Persistence → new accounts, new scheduled tasks, new services.
- Exfiltration → large or unusual outbound data flows.
This is precisely why a red team tests post-exploitation against the blue team: the question isn't only "can they get in?" (someone always eventually can) but "once in, do we detect them moving before they reach the objective?" A defender who assumes breach (Foundations) invests here — in detecting lateral movement and escalation — because that's the attacker's unavoidable noisy phase and the best place to catch them. Attackers counter with living off the land (using legitimate tools to blend in), which is exactly why detection must baseline normal behavior and flag anomalies, not just hunt for malware signatures.
The whole "assume breach" mindset from Foundations becomes concrete in this phase. You can't guarantee no one ever gets a foothold — so you design and monitor so that a foothold can't easily become a breach: least privilege limits escalation, network segmentation and zero trust limit lateral movement, credential hygiene limits reuse, and detection catches the noisy inward journey. Post-exploitation is the attacker's plan; those four are the defender's counter-plan.
Why it matters
- It's where impact actually happens. The foothold is trivial; the damage comes from the journey to the crown jewels. Assessing real impact (for the report) requires understanding this phase.
- It's the red-team/blue-team battleground. Detection of lateral movement and escalation is the modern defensive frontier — and red teams exist largely to test it.
- It turns Foundations into architecture. Least privilege, segmentation, zero trust, and credential hygiene all earn their keep by breaking specific post-exploitation steps — you now see exactly which step each one stops.
Common pitfalls
- Thinking the foothold is the finish. First access is usually low-value; impact comes from escalation and lateral movement. Assess and report the reachable impact, not just entry.
- Following pivots out of scope. Lateral movement makes scope creep easy — that next host may be out of bounds or another company's. Re-check scope at every hop.
- Underestimating credential reuse. The dominant lateral-movement technique is just reusing harvested credentials across a flat network. Defenders who only patch but ignore credential hygiene and segmentation miss the real risk.
- Assuming "internal" is safe. Post-exploitation thrives on internal trust. Zero trust and segmentation, not a hard perimeter, are what contain it.
- Forgetting the noise is the opportunity. Defenders who only try to keep attackers out, and don't monitor for the loud inward journey, forfeit their best detection chance.
- Leaving persistence behind. Anything installed during a red team must be documented and cleanly removed — an undocumented backdoor is a liability you created.
Page checkpoint
Did post-exploitation click?
Pass to unlock the Next button belowWhat's next
→ Continue to Reporting & Remediation — the phase that turns everything you found into the actual deliverable: clear findings, honest severity, reproduction steps, and remediation that gets fixes shipped.
→ Going deeper: detecting the noisy journey is the whole of Detection & Response; the architectural counters (segmentation, zero trust) are Network Security and Cloud & Identity Security.