💡 Introduction

Cyber attacks are rarely one big explosion — they’re a chain of smaller moves that, when strung together, create a breach. Understanding each stage helps you detect adversaries early and cut them off before damage happens. Below is a stage-by-stage walkthrough — reconnaissance → weaponization → delivery → exploitation → installation → command & control → lateral movement → privilege escalation → data discovery → exfiltration — with detection signals and practical defenses.

🕵️‍♂️ 1. Reconnaissance (Footprinting & Scanning)

What happens: Attackers collect public info (domains, employee names, IP ranges) and scan for weak services.

Signals to detect

• Unusual DNS queries or spikes for odd subdomains.

• Repeated scanning from external IPs.

• Credential-harvest attempts on public forms.

How to defend

• Minimize exposed info and services.

• Use external attack-surface monitoring and DNS alerting.

• Add rate-limits and WAFs on public endpoints.
  

🧰 2. Weaponization

What happens: The attacker prepares a payload — malicious docs, exploit kits, or custom malware.

Signals to detect

• Strange or unexpected attachment types.

• New code-signing certs or macro-enabled files.

• Threat intel warnings for exploit kits.

How to defend

• Block macros; enable Protected View.

• Sandbox attachments in the email gateway.

• Prioritize patching of exposed services.
  

✉️ 3. Delivery

What happens: Payload sent via phishing, malicious links, drive-by downloads, or compromised third-party software.

Signals to detect

• Phishing emails with spoofed senders.

• Users clicking links to newly-registered domains.

• Odd web referrers or user agents in logs.

How to defend

• Phishing awareness training + simulated phishing.

• Click-time URL scanning and URL rewriting.

• Use browser sandboxes / isolate risky browsing.
  

💥 4. Exploitation (Initial Compromise)

What happens: Payload runs — e.g., a user enables macros or an RCE exploit triggers — giving attacker code execution.

Signals to detect

• Office app spawning cmd.exe, wscript, or suspicious child processes.

• New services, scheduled tasks, or persistence artifacts.

• Unusual process behavior (spikes, odd network calls).

How to defend

• EDR with parent-child process monitoring and blocking.

• Least-privilege user accounts.

• Application allowlisting where possible.
  

🛠️ 5. Installation & Persistence

What happens: Attacker installs backdoors and persistence (services, registry keys, scheduled tasks).

Signals to detect

• New/modified startup locations or registry Run keys.

• Unknown binaries in startup folders.

• Repeated authentication with stale credentials.

How to defend

• Alert on startup/location changes.

• Harden EDR policies to block known persistence techniques.

• Regularly audit and remove unused privileged accounts.
  

📡 6. Command & Control (C2)

What happens: Compromised hosts call back to attacker infrastructure for commands and data exfiltration.

Signals to detect

• Outbound connections to rare or newly-registered domains.

• Regular beaconing patterns (periodic outbound requests).

• Encrypted traffic to endpoints that don’t match business needs.

How to defend

• Egress filtering; proxy outbound traffic.

• DNS-layer detection and DGA pattern analysis.

• Block known malicious C2 IPs/domains via threat intel.
  

🔁 7. Lateral Movement

What happens: Attacker moves from initial host to others — targeting servers, backups, and credential stores.

Signals to detect

• Unusual SMB/RDP/SSH auths or admin sessions from odd hosts/times.

• Bulk reads from sensitive file shares.

• Use of lateral tools (PsExec, WMI) by non-admin machines.

How to defend

• Network segmentation & micro-segmentation.

• MFA for remote/admin access.

• Monitor for Pass-the-Hash / Kerberos anomalies.
  

🔐 8. Privilege Escalation

What happens: Attacker increases their privileges (local admin → domain admin) via exploits or misconfigurations.

Signals to detect

• Creation of elevated accounts.

• Non-admin hosts executing privileged tools (PowerShell, PsExec).

• Unexpected GPO or group membership changes.

How to defend

• Harden domain controllers; use jump boxes for admin work.

• Tiered admin model + MFA on admin accounts.

• Alert on privileged group modifications.
  

🔎 9. Data Discovery & Collection

What happens: Attacker hunts for sensitive files, DBs, backups, and intellectual property.

Signals to detect

• High-volume file reads from sensitive directories.

• Unusual DB exports or backup access.

• Use of data-export or compression utilities.

How to defend

• Data classification + DLP to monitor/block sensitive exfil.

• Restrict backup access and encrypt backups offline.

• Alert on mass file access or abnormal exports.
  

🚚 10. Exfiltration

What happens: Data leaves the network — via cloud uploads, HTTPS, DNS tunneling, or physical extraction.

Signals to detect

• Large uploads to external cloud storage.

• DNS queries with abnormally large payloads.

• Traffic to odd ports or encrypted blobs to strange endpoints.

How to defend

• Egress monitoring and bandwidth-based alerts.

• DLP blocking of sensitive data to external destinations.

• Enforce cloud app allowlists and inspect cloud logs.
  

🧹 11. Covering Tracks & Cleanup

What happens: Attackers delete logs, tamper telemetry, or trigger mass encryption (ransomware).

Signals to detect

• Sudden drops in log volume or truncated logs.

• Time gaps in telemetry.

• Unexpected reboots tied to mass file changes.

How to defend

• Forward logs to immutable, centralized collectors (SIEM).

• Alert when log volumes drop unexpectedly.

• Keep offline, immutable backups and test recovery playbooks.
  

⚙️ Detection & Response — Practical Playbook

• Assume breach: design for detection and recovery.

• Centralize telemetry: EDR + network + DNS + email + cloud logs in SIEM.

• Hunt proactively: look for beaconing, odd process trees, and privilege misuse.

• Segment & restrict: minimize blast radius with segmentation and least privilege.

• Run tabletop exercises: test IR playbooks and backup restores.

• Prioritize patching: focus on internet-facing and privilege-escalation CVEs.

• Immutable backups: keep air-gapped/offline backups and verify restores.
  

✅ Quick SOC Checklist

•  DNS anomalies & new domains

•  Phishing indicators & click-throughs

•  Suspicious parent-child process chains

•  Beaconing / odd outbound connections

•  Mass file access or large uploads

•  Unexpected privilege changes

•  Missing or truncated logs

🏁 Conclusion — The Defender’s Edge

Attackers chain small actions into big outcomes. Your edge: visibility (logs everywhere), prevention (least privilege, segmentation, patching), and practiced response (runbooks + backups). Detecting attackers at recon or delivery is far cheaper than reacting after exfiltration.