After gaining access to a victim machine, what is a typical use of that compromised box?

Using the compromised box as a foothold to pivot laterally is what attackers typically do after gaining access. Once inside one machine, an attacker will often use that host to move to other systems, harvest credentials, and escalate access to higher-value targets. This lateral movement expands reach, allows deeper network access, and makes it possible to install additional tools or backdoors for persistence and further compromise, all while avoiding immediate detection by spreading activity across the network. Patching vulnerabilities from the compromised host, deleting evidence, or simply shutting down the machine do not align with the attacker’s goal of broad access and impact; those actions are defensive, cover-up, or disruptive rather than strategic expansion of access.