- Different components associated with this phase: - Evasive testing - Different categories - Evasive - quiet - Hybrid - ramp-up from quiet to noisy - Non-evasive - noisy - Info gathering - Repeat due to new internal vantage point - Enumerate local network and local services such as databases, printers, and virtualization - Pillaging - Examine role of host within corporate network - Analyze network config: - interfaces - Routing - DNS - ARP - Services - VPN - IP subnets - Shares - Network traffic - Password and other policies - Hunt for sensitive data such as user names and passwords within: - Shares - Local machines - Scripts - Config files - Password vaults - Documents - Email - Persistence - Maintain access - Vulnerability assessment - Repeated from an internal perspective - Privilege escalation - Local privesc - `root` on linux systems - `administrator/local` or `administrator/SYSTEM` on windows systems - Remote privesc: look for credentials for externally connected systems - Data exfiltration - Check with customer and manager before exfil-ing data - Dat may be subject to various privacy regimes: - PCI-DSS - HIPPA - GLBA - FERPA - FISMA -