The Long Game: How APTs Infiltrate And Control Networks

Let’s dive deeper into each phase, dissect typical tactics, and understand the challenges defenders face. 

1. Reconnaissance

Adversaries spend significant time gathering intelligence before launching an attack. They study: 

• Public domain information (websites, annual reports, staff profiles) 

• Social media accounts of executives and staff 

• Infrastructure details (domains, subdomains, tech stack, vendors) 

• Known vulnerabilities in third-party suppliers or software 

This phase is often silent and indefinite. 

2. Initial Intrusion

The most common entry vectors include: 

• Spear-phishing: Highly customized emails with malicious attachments or links 

• Watering-hole attacks: Compromising websites commonly visited by targets, injecting exploit code 

• Supply chain compromise: Embedding a malicious module into third-party software or hardware updates 

• Zero-day exploit: Using an unknown vulnerability for which no patch exists 

Because initial entry may be one compromised user or system, the attacker sets up a foothold that appears benign. 

3. Establish Foothold

Once inside, the adversary deploys payloads that: 

• Create backdoors or remote access tools 

• Use rootkits or kernel modules to remain hidden 

• Modify system settings to survive restarts 

• Install monitoring or persistence scripts (e.g. registry keys, scheduled tasks) 

At this point, defenders may detect suspicious activity — but often too late. 

4. Lateral Movement

To expand reach inside the network, attackers use: 

• Credential harvesting (keyloggers, memory scraping) 

• Pass-the-hash / pass-the-ticket techniques 

• Compromised administrative tools / remote services (RDP, WMI, remote PowerShell) 

• Abusing trust relationships (e.g. between systems, domains, partner networks) 

• Internal DNS / network pivoting 

This stage is risky for attackers because increased activity may draw detection, so they often move slowly, in phases. 

5. Privilege Escalation & Persistence

To control domain infrastructure, attackers escalate to admin or domain controller levels. Techniques include: 

• Exploiting escalation vulnerabilities in system software or OS 

• Installing stealth modules (rootkits, hidden services) 

• Hiding tools within legitimate binaries 

• Using “living off the land” tools (e.g. PowerShell, WMI, Windows built-ins) that appear normal 

Persistence means staying even if parts of their infrastructure are disabled — e.g. secondary backdoors. 

6. Command & Control (C2)

C2 channels allow attackers to issue commands, retrieve exfiltrated data, and update tools. To remain stealthy, attackers: 

• Use HTTP(S) protocols to mimic legitimate web traffic

• Use DNS tunneling, dynamic DNS 

• Employ domain fluxing or typosquatting 

• Use encrypted channels, obfuscation, or proxying via innocuous infrastructure 

This enables communications even in networks with firewalls or monitoring. 

7. Data Collection & Exfiltration

Before attackers remove data from a network, they follow a careful, multi-step process that begins with data collection and ends with covert exfiltration using:

• Data staging in hidden locations 

• Compressing and encrypting files 

• Splitting large data into smaller packets 

• Covert channels (e.g. embedding in DNS, idle HTTP requests, cloud services) to mask their activities

• Leveraging legitimate protocols or services to mask data flows 

Because exfiltration reveals the attacker’s presence, they often throttle data, or exfiltrate during low-activity. 

8. Clean-up, Dormancy, or Reinforcement

After completing their objectives, or if the risk of discovery rises, attackers often follow these steps: 

• Remove or disable logs, cleanup artifacts 

• Reinstall minimal backdoors 

• Lie dormant with minimal footprint 

• Prepare for future re-entry 

• Leave small programs that can automatically restart the attack if needed