Post-Exploitation
Post-compromise operations for Linux and Windows environments.
What It Does
Privilege escalation on Linux (SUID, capabilities, kernel exploits) and Windows (token manipulation, service misconfigurations), Active Directory attacks (Kerberos, LDAP enumeration, BloodHound integration), lateral movement (PSExec, WMI, SSH hijacking), persistence mechanisms, container escape techniques, credential harvesting from memory, files, and registries, and C2 infrastructure planning. All actions mapped to MITRE ATT&CK TTPs.
Scripts
| Script | Description |
|---|---|
privesc_linux | Linux privilege escalation — SUID binaries, capabilities, sudo rules, kernel checks |
privesc_windows | Windows privilege escalation — services, tokens, UAC, registry, scheduled tasks |
ad_attacker | Active Directory attacks — Kerberoasting, AS-REP roasting, BloodHound collection |
lateral_movement | Lateral movement — PSExec, WMI, WinRM, SSH key theft, RDP hijacking |
persistence_finder | Persistence discovery — crontab, systemd, registry Run keys, WMI subscriptions |
container_escape | Container escape — privileged containers, Docker socket, cap_sys_admin abuse |
credential_harvester | Credential harvesting — memory dumps, config files, browser stores, DPAPI |
c2_infra_planner | C2 infrastructure planning — redirectors, domain fronting, CDN masking |
postex_report | Post-exploitation report with MITRE ATT&CK technique mapping and timelines |
When to Use
Use immediately after gaining initial access to a target host. Run privesc_linux or privesc_windows first, then escalate to ad_attacker or lateral_movement as the environment dictates.
Usage
RedTeamScript(skill="post-exploitation", script="privesc_linux", args="--session-id 42 --output privesc.json")