Advanced Exfiltration (Stealth)
• Steganographic exfiltration — hide data in images
(- attackers embed stolen data inside image files)
• Protocol mimicry exfiltration — look like normal traffic
(- attackers disguise exfiltration as normal application traffic)
• Intermittent data bursts — short hidden transfers
(- attackers send data in brief bursts to avoid detection)
• Encrypted tunnel exfiltration — hidden encrypted channels
(- attackers send data through encrypted tunnels like HTTPS or VPN)
• Multi-destination exfiltration — split across locations
(- attackers send different data parts to multiple servers)
• Delayed exfiltration triggers — wait before sending data
(- attackers delay transfer until specific conditions are met)
Advanced Attack Objectives
• Silent surveillance — monitor without disruption
(- attackers observe activity without making visible changes)
• Credential harvesting campaign — collect many logins
(- attackers focus on gathering large numbers of credentials)
• Strategic data theft — steal key business data
(- attackers target sensitive intellectual or financial information)
• Infrastructure mapping campaign — prepare future attacks
(- attackers map systems for later exploitation)
• Long-term persistence goal — maintain hidden access
(- attackers prioritize staying inside the environment)
• Multi-stage intrusion planning — phased attack strategy
(- attackers plan long-term multi-step operations)
Advanced Hybrid Environment Attacks
• Cloud-to-on-prem pivot — attacker moves from cloud into internal network
(- attackers use cloud credentials to access on-prem resources)
• On-prem to cloud pivot — attacker uses local access to enter cloud
(- attackers leverage synced identities to access cloud systems)
• Identity sync abuse — attacker manipulates directory synchronization
(- attackers modify sync rules to grant privileges)
• Hybrid admin account takeover — control accounts with dual access
(- attackers compromise accounts with both cloud and local admin rights)
• Federation trust abuse — attacker abuses login trust relationships
(- attackers exploit federation trust to authenticate externally)
• Sync server compromise — attacker controls identity synchronization
(- attackers compromise the sync server to control identities)
Advanced Backup Attacks
• Backup catalog deletion — attacker removes backup index
(- attackers delete backup catalogs so systems cannot locate recovery data)
• Backup encryption before ransomware — backups made unusable
(- attackers encrypt backup files first so recovery fails after ransomware)
• Snapshot deletion — remove recovery points
(- attackers delete VM or storage snapshots before launching attacks)
• Backup credential theft — access backup systems
(- attackers steal backup admin credentials to control backup infrastructure)
• Offline backup discovery — attacker searches for offline copies
(- attackers scan networks to locate disconnected or offline backup storage)
• Backup retention manipulation — shorten retention periods
(- attackers change retention settings so old backups are automatically deleted)
Advanced Virtual Infrastructure Attacks
• Hypervisor admin compromise — control all virtual machines
(- attackers gain hypervisor admin rights to control every VM)
• VM snapshot theft — access VM disk copies
(- attackers copy snapshots to extract data from virtual disks)
• Virtual network pivoting — move between virtual networks
(- attackers use virtual switches to move across isolated VM networks)
• Template poisoning — infected VM templates
(- attackers modify VM templates so new machines are created infected)
• Host resource takeover — attacker controls host system
(- attackers compromise virtualization host to control hosted VMs)
• VM escape exploitation — break out of virtual machine
(- attackers exploit vulnerabilities to access the host from inside a VM)
Advanced Monitoring Blind Spots
• Log pipeline disruption — attacker stops log forwarding
(- attackers break log pipelines so monitoring systems receive no data)
• Agent communication blocking — disable monitoring agents
(- attackers block network communication between agents and servers)
• Selective event filtering — hide suspicious activity
(- attackers modify filters to remove malicious events from logs)
• Alert threshold manipulation — avoid detection limits
(- attackers change thresholds so alerts never trigger)
• Telemetry overload — flood logs with noise
(- attackers generate excessive events to hide malicious activity)
• Audit policy modification — reduce logging coverage
(- attackers change audit policies to stop recording key events)
Advanced Administrative Tool Abuse
• Remote management tool abuse — use legitimate admin tools
(- attackers use tools like RDP or remote management to appear legitimate)
• Patch management abuse — deploy malicious updates
(- attackers push malware using patch deployment systems)
• Software deployment abuse — push malware to systems
(- attackers use software deployment platforms to distribute payloads)
• IT automation abuse — run attacker scripts
(- attackers execute malicious scripts through automation tools)
• Remote support session hijacking — take active support sessions
(- attackers hijack remote support sessions to control systems)
• Configuration management abuse — change system configs
(- attackers use configuration tools to weaken security or deploy access)
Advanced Credential Lifecycle Abuse
• Password reset workflow abuse — attacker resets accounts
(- attackers exploit password reset processes to gain access)
• Temporary access token abuse — reuse short-lived tokens
(- attackers reuse temporary tokens before they expire)
• Privileged access approval abuse — trick approval systems
(- attackers manipulate approval workflows to grant privileged access)
• Service account password extraction — steal automation credentials
(- attackers extract service account passwords from scripts or systems)
• Credential vault compromise — steal stored secrets
(- attackers access password vaults to retrieve stored credentials)
• Secret rotation manipulation — prevent password changes
(- attackers disable rotation so stolen credentials remain valid)
Advanced Network Trust Attacks
• Trust boundary bypass — cross security zones
(- attackers move between network segments that should be isolated)
• Inter-domain trust abuse — move across domains
(- attackers exploit trust relationships between domains)
• VPN trust exploitation — use trusted VPN access
(- attackers use compromised VPN credentials to appear internal)
• Partner network pivoting — move through partner access
(- attackers use partner connections to enter the network)
• Internal proxy abuse — route traffic internally
(- attackers use internal proxies to reach restricted systems)
• Trust relationship mapping — find trusted connections
(- attackers map trust relationships to identify movement paths)
Advanced Stealth Collection
• Incremental data collection — small data gathering over time
(- attackers collect small amounts of data gradually to avoid detection)
• Access pattern mimicry — behave like normal user
(- attackers access files in patterns similar to legitimate users)
• Metadata-only collection — collect file information first
(- attackers gather filenames, sizes, and owners before copying data)
• Search-based data discovery — use built-in search
(- attackers use system search tools to locate sensitive files quietly)
• Preview-based extraction — read files without download
(- attackers view file previews to extract information without copying files)
• Version diff collection — collect only changes
(- attackers copy only modified data instead of entire files)
Advanced Long-Term Persistence
• Rotating persistence methods — switch backdoor techniques
(- attackers change persistence mechanisms to avoid detection)
• Dormant identity accounts — unused hidden accounts
(- attackers create accounts that remain unused until needed)
• Rare communication beaconing — infrequent check-ins
(- malware contacts attacker infrastructure only occasionally)
• Conditional persistence triggers — activate only when safe
(- persistence activates only under specific conditions)
• Multi-environment persistence — cloud and on-prem access
(- attackers maintain persistence across multiple environments)
• Re-provisioning persistence — re-create deleted access
(- attackers automatically recreate removed accounts or permissions)
Advanced Strategic Operations
• Multi-phase infiltration — gradual attack stages
(- attackers perform access, escalation, and exfiltration in phases)
• Long dwell-time espionage — stay hidden long-term
(- attackers remain undetected while monitoring activity)
• Access maintenance operations — preserve foothold
(- attackers maintain credentials and backdoors)
• Targeted high-value asset focus — attack critical systems
(- attackers prioritize domain controllers, finance, and IP systems)
• Parallel attack paths — multiple access routes
(- attackers maintain several independent intrusion paths)
• Delayed impact execution — wait before final attack
(- attackers delay final actions until optimal timing)
Advanced Identity Infrastructure Attacks
• Identity provider token signing compromise — attackers create valid login tokens
(- attackers steal signing keys and generate trusted authentication tokens)
• Authentication policy manipulation — weaken login protections
(- attackers modify MFA or conditional access policies)
• Privileged role assignment persistence — hidden admin role assignments
(- attackers create role assignments that are rarely noticed)
• Identity lifecycle abuse — exploit account creation workflows
(- attackers abuse onboarding processes to gain privileged accounts)
• Guest account privilege escalation — external users gain internal access
(- attackers elevate guest accounts to access internal resources)
• Cross-tenant identity abuse — move between cloud tenants
(- attackers use trust relationships between tenants)
Advanced Endpoint Persistence
• Hidden scheduled task chains — layered task execution
(- attackers create multiple scheduled tasks that trigger each other)
• Alternate data stream persistence — hide files in NTFS streams
(- attackers store malicious data inside hidden NTFS alternate streams)
• Registry key shadow persistence — hidden registry startup entries
(- attackers create obscure registry keys that run malware at startup)
• Service binary replacement — replace legitimate service files
(- attackers replace service executables with malicious versions)
• Startup folder masquerading — hidden startup entries
(- attackers place disguised files in startup folders)
• User profile script persistence — run scripts at login
(- attackers configure login scripts to execute malware)
Advanced Lateral Movement (Stealth)
• Token-based remote access — reuse session tokens remotely
(- attackers use stolen tokens to access remote systems)
• Remote service impersonation — execute as trusted service
(- attackers run commands under trusted service identities)
• Shared service account pivoting — move using shared credentials
(- attackers use shared service accounts across systems)
• Management server pivot — move through admin servers
(- attackers pivot through central management systems)
• Jump box chaining — move through access gateways
(- attackers move across jump hosts step-by-step)
• Remote management API abuse — execute via admin APIs
(- attackers use administrative APIs to run commands)
Advanced Data Discovery
• Sensitive keyword scanning — search for confidential terms
(- attackers scan files for keywords like confidential or secret)
• File ownership discovery — identify key user data
(- attackers identify files owned by executives or admins)
• Permission-based data mapping — find accessible resources
(- attackers map accessible shares and directories)
• Archive repository discovery — locate stored archives
(- attackers search for backup or archive repositories)
• Database schema discovery — map database structure
(- attackers query database schemas to identify valuable tables)
• Email thread importance ranking — identify valuable emails
(- attackers identify high-value conversations)
Advanced Data Exfiltration Planning
• Data prioritization staging — sort most valuable data first
(- attackers organize stolen data by importance before transfer)
• Compression ratio optimization — reduce transfer size
(- attackers compress data to minimize transfer footprint)
• Transfer window timing — send during quiet periods
(- attackers exfiltrate data during low monitoring periods)
• Multi-channel exfiltration — multiple transfer methods
(- attackers send data using several different channels)
• Stealth naming conventions — disguise staged data
(- attackers rename data to appear harmless)
• Data integrity verification — confirm stolen data usable
(- attackers verify copied data before exfiltration)
Advanced Cloud Control
• Cloud audit log suppression — hide cloud activity
(- attackers disable or modify cloud audit logging so actions are not recorded)
• Resource tagging manipulation — hide malicious resources
(- attackers change tags to make malicious resources appear legitimate)
• Cloud automation persistence — automated re-creation
(- attackers create automation that rebuilds deleted backdoors)
• Policy inheritance abuse — gain inherited privileges
(- attackers exploit inherited policies to obtain elevated permissions)
• Cross-region persistence — duplicate access in regions
(- attackers create access in multiple cloud regions for redundancy)
• Snapshot cloning abuse — copy cloud systems
(- attackers clone snapshots to create hidden copies of systems)
Advanced Internal Surveillance
• User behavior monitoring — watch user activity
(- attackers observe user actions to understand normal behavior)
• Privileged account monitoring — track admin use
(- attackers monitor admin logins and activity)
• Email notification monitoring — intercept alerts
(- attackers watch security alert emails to track detection)
• Security response monitoring — observe defenders
(- attackers monitor incident response actions)
• Login pattern observation — learn normal behavior
(- attackers study login times and locations)
• Change tracking surveillance — detect admin changes
(- attackers monitor configuration changes to react quickly)