In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is, imagine a scenario, where the person have deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.).