The modern intrusion life cycle.
[0] External Victim Scouting: Collect basic information about victim, external facing infrastructure, email accounts, public profiles.
[0] External Victim Scouting: Collect basic information about victim, external facing infrastructure, email accounts, public profiles.
[1] Initial Exploit/Actor Foothold: Wide pendulum swing, from zero-day and unpatched CVE exploits to phishing for credentials, to obtaining credentials for matching domain accounts to supply chain attacks, etc. Regardless of the chosen Initial Intrusion Vector (IIV)...
the goal remains the same; to gain a foothold within the victim network.
[2] Internal Victim Scouting: The "where am I moment" for the threat actor - scanning for IPs, hostnames, mapping Active Directory object relationships, etc. Sometimes limited based upon initially...
[2] Internal Victim Scouting: The "where am I moment" for the threat actor - scanning for IPs, hostnames, mapping Active Directory object relationships, etc. Sometimes limited based upon initially...
intruded upon host or domain account role/permissions.
[3] Toolkit Deployment/Beachhead Establishment: Implanting persistence, backdoors, alternate network access methods and enabling communications with command and control (C2) servers that allow threat actor(s) to install...
[3] Toolkit Deployment/Beachhead Establishment: Implanting persistence, backdoors, alternate network access methods and enabling communications with command and control (C2) servers that allow threat actor(s) to install...
malicious tools, push/pull commands, increase reach within network, and monitor endpoints. Increase difficulty of meaningful actor ejection.
[4] Escalation: Escalation of privileges with credential compromising and/or exploitation of services to increase reach within victim..
[4] Escalation: Escalation of privileges with credential compromising and/or exploitation of services to increase reach within victim..
environment.
[5] Lateral Movement/Recon: If necessary, circular repeats of [2] - [5] as necessary, but continued exploitation of trust relationships between machines and networks to expand attacks to other target computers or networks.
[5] Lateral Movement/Recon: If necessary, circular repeats of [2] - [5] as necessary, but continued exploitation of trust relationships between machines and networks to expand attacks to other target computers or networks.
[6a] Execution of Mission: Collecting, staging, exfiltrating and/or destroying data (i.e., data recovery frustration tactics.)
[6b] Execution of Mission: Ransomware detonation
//#Intrusion Lifecycle repeats in another victim network :(
[6b] Execution of Mission: Ransomware detonation
//#Intrusion Lifecycle repeats in another victim network :(
• • •
Missing some Tweet in this thread? You can try to
force a refresh
