6 Establishing a Foothold

According to the unified kill chain of sophisticated cyberattacks, the next step after gaining access to a network is establishing a foothold. During this stage, threat actors attempt to find a way to maintain access to a victim’s infrastructure. Often, such actions are accompanied by privilege escalation, credential access, and defense evasion, all while communicating with a command-and-control (C2) server in the background.

From an analysis point of view, the aforementioned actions have many overlaps, and we can utilize similar data sources and investigative approaches to uncover the traces left by threat actors.

As before, in this chapter, we will focus on specific artifacts and the opportunities they provide. We ...

Get Incident Response for Windows now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Incident Response for Windows by Anatoly Tykushin, Svetlana Ostrovskaya

6

Establishing a Foothold

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly