The level of detection avoidance that can be accomplished varies from network to network. When performing the test, keep in mind that, in this day and age, resources are usually very limited and administrators are overworked and underappreciated. Focus on bypassing the automated detection methodologies, and you are unlikely to be found by an active and eager admin unless your traffic and behavior patterns are drastically different from those of the average power user. When sniffing traffic and looking at network connections and activity, you should be able to get an idea of what is considered normal traffic on the network.
When performing scans, it may be a good idea to use multiple sources to originate the scan from. This is more likely to be possible in large networks, after a few people have clicked the links to your social engineering campaign page. Once you have several machines under your control, it is not advisable to scan from a single machine. Use the tools to break the scans into chunks and reduce the scan times. Take advantage of idle scans, especially when there are network-enabled printers available.
If any of the systems you have control of start to be cleaned, reimaged, or otherwise, remediated before the actual penetration test has been completed, slow down or at a minimum cease all aggressive testing until it can be determined who or what is taking control of remediating the systems. There may be a third party involved, in which case it will become extremely important that your traffic and efforts are not confused with those of the third party, especially if that person or group turns out to be malicious in nature and are trying to ensure they do not lose control of "their" owned systems to a rival group or person. In a perfect world, this would not be the case and instead there is just a very good security and administrative group taking care of business and eliminating threats as they occur.
One security measure that we did not discuss often in this book is the usage of FIM. Proper usage of this control can be devastating to an attacker and penetration tester alike. It is very simple for an administrator to use these tools to let them know when key files or directories have changed. Keep this in mind when running into wide open systems that are just waiting to be completely pillaged. One improper change and the administrator and possibly security group will go into overdrive and start to look for the smallest anomalies on the network. This will guarantee that your job just got much more difficult.
FIM can usually be avoided by sticking to nonintrusive means of post-exploitation and enumeration. Some directories and files, particularly those dealing with databases or temporary files, will not be scanned for changes due to the high rate of false positives. Ensure that any files you modify or drop are in those directories, and stay away from attempts at changing key system files (log files may be included in this!).Once again, think like an administrator, and avoid any action that could easily be scripted to alert.
Last but not least, use the tools at hand to perform enumeration and further exploitation. If the targeted system has a compiler installed, use it to compile your own network scanner instead of going to some random website from the machine and downloading one. Windows machines, in particular, have a broad range of Net commands and shell commands that make many enumerations and pillaging tasks a breeze. Use these tools to their fullest extent when performing testing, and you will probably not be detected by the administrators. With the addition of Powershell, we now have an even more powerful tool, and one that runs at system-level privileges!