An APT is a broad term typically used to describe a stealthy threat-actor, that has gained

unauthorized access to network. The motivation is to mine highly sensitive data or intellectual
property, data that the cybercriminal can ultimately sell or monetise. These are the step a threat
actor would undertake:

Step #1: Initial Reconnaissance

The first step to a targeted attack/APT is some type of reconnaissance, where research and
information is gathered about the targeted organization with the objective of getting past the
organization’s border security and gaining a foothold inside the internal network. Information could
be publicly gathered on an organization’s network ranges, IP addresses and domain names.
Vulnerability scans can then be performed on assets on the external network to determine and
exploit known vulnerabilities.

Step #2: Initial Compromise

The second step consists of various entry vectors to gain their initial foothold within a network. One
typical technique includes a targeted phishing campaign. The cyberattacker will phish their target
organization’s employees into opening a malicious attachment or clicking a crafted URL in an email in
the hopes of delivering their payload by exploiting a zero-day vulnerability in a common browser or
application, like Microsoft Office. Other common techniques include exploiting vulnerabilities on
public-facing web servers and databases.

Step #3: Establish Foothold

Once the threat actor has gained a foothold through the initial compromise, the next step is to
execute malicious code on the server or endpoint to allow full access into the machine.

The threat-actor will attempt to maintain persistence after the initial compromise. Persistence
describes the ability to maintain control and access to the compromised system across system
restarts, changed credentials, and other interruptions that could potentially cut off access. Typically,
persistence is accomplished by replacing or hijacking legitimate code or adding startup code.

Step #4: Escalate Privileges

After the threat-actor has full access into the compromised node, the threat-actor will then seek to
gain greater access to the system and data through the use of privileged accounts.

The threat-actor will first attempt to harvest access credentials from the compromised host using a
technique called Credential Access. Examples of these techniques are password hash dumping,
keystroke logging and several others.

Immediately after the gaining access to privileged accounts, the threat actor will attempt to use
privilege escalation techniques on targeted systems and key high-value targets. Examples of
elevated access include SYSTEM/root level accounts, domain admin, user account with admin-like
access and service accounts. Using legitimate credentials will make the APT harder to detect.

Step #5: Internal Recon

The threat-actor will then attempt to perform additional reconnaissance on the internal network.
Techniques such as file and directory discovery, network share discovery, cloud service discovery,
port scanning and network analysis are all used to identify high-value targets that house other data
of interest.
The internal discovery process allows the threat-actor to observe and to provide orientation
regarding their existing internal environment. After the initial orientation, the threat-actor will then
explore the services and assets around the initial entry point to benefit their primary objectives.

Step #6: Lateral Movement

Lateral Movement involves techniques that allow the threat-actor to enter and control additional
systems on the internal network. In order to accomplish their primary objectives, the threat-actor
will need to explore multiple networks to locate high-value targets before subsequently gaining
access to sensitive data. Part of the process involves pivoting through multiple systems and gaining
access to different accounts.

The rate of Lateral Movement is entirely dependent on the ability of the APT to exist in the
environment undetected. If the threat-actor believes that they can exist without being detected,
they may continue in a stealth mode for some time. However, if the threat-actor believes that they
run the risk of being detected, they will attempt Lateral Movement techniques much sooner.

Some examples of Lateral Movement techniques are Windows Admin Shares, remote access tools
such as PsExec, remote desktop service such as RDP, COM/DCOM for local code execution, stolen
web session cookies, exploitation of remote services like SMB, and many others.

Step #7: Maintain Presence

The APT ensures continued access to the environment by installing multiple variants of malware
backdoors or by some type of remote administration tool.

These remote administration tools are typically installed onto the compromised node(s) and set up
in a reverse-connect mode. The reverse-connect connectivity mode will initiate a session to central
command & control (C&C) servers to pull and execute commands. This connectivity method is
designed to evade detection on perimeter firewalls, as the compromised node reaches out to the
C&C servers, similar to other network traffic destined to the Internet. Unlike botnet traffic which is
volumetric, APT C&C communications typically blend in with normal traffic and cannot be detected
without having continuous network monitoring and advanced network analytics.

Techniques used for defense evasion include uninstalling/disabling security software or obfuscating
and encrypting data and the deletion or modification of audit logs or command history.

Step #8: Complete Mission

In order for the threat-actor to complete their mission, sensitive data needs be collected from
remote systems prior to data exfiltration.

Common target sources include data from network shared drives, email collection, cloud object
storage, etc. The collection process may be automated using scripts to search for and copy
information based on criteria such as file type, location, or name at specific time intervals.

Once the threat-actor has collected data, they will attempt to chunk or package it, then using
compression and encryption to further avoid detection. Techniques for getting data out of a target
network typically include transferring it over their command and control channel or an alternate
channel and may also include putting size limits on the transmission to masquerade as normal traffic.

Even after the initial data breach has occurred, the threat-actor may often leave the backdoor open
for future attempts at data exfiltration.
How big the canvas of techniques for attackers is, you may have no idea about it.

Thank you !