post-exploitlisted

Post-exploitation methodology mapped to MITRE ATT&CK tactics — privilege escalation, credential access, discovery, lateral movement, persistence and defense evasion across Windows/Linux/cloud. Pattern-level technique categories with D3FEND defensive counters and a detection opportunity per step.
roodlicht/accans-sec-skills · ★ 4 · DevOps & Infrastructure · score 65

Install: claude install-skill roodlicht/accans-sec-skills

# Post-Exploitation Playbook > **RoE-only and lab discipline**: post-exploitation is by definition post-foothold, which means the attacker is already through the front door. The RoE must explicitly allow the next steps: which commands, on which systems, within which time window, with which limits on data access and persistence cleanup. Do not run techniques on production without that agreement on file. Specific EDR-bypass recipes, ready-to-run beacons, and version-targeted privilege-escalation exploits do not live in this skill — those belong in the engagement workspace. ## When to use A successful initial access marks the beginning, not the end, of a red-team / pentest engagement. This skill provides the structural lens for what happens after foothold: which questions you answer, which techniques map to which tactic, what the defensive counterpart is, which detection opportunity you must document for `purple-ops` and `detection-engineer`. Triggers on: - A question like "what do we do after initial access", "which privesc techniques on Linux", "Kerberoasting in scope", "lateral movement without Mimikatz", "a persistence mechanism visible enough for detection tuning". - A red-team engagement where Initial Access via `phishing-sim` or `web-exploit-triage` has been gained and you are moving to the next ATT&CK tactic. - A purple-team exercise where you plan deliberate attack steps so the blue team can tune detection — `purple-ops` drives that planning. - A cloud engagement w