APT Operations — Reference.

Initial access — sustained vs opportunistic patterns

• Spear-phishing against named individuals. Custom pretext, weeks of OSINT, targeting a single role (sysadmin, finance director) per campaign.
• Supply-chain compromise. Compromise a vendor with access to the real target. Software-update injection (SolarWinds-class), code-signing-cert theft, dependency confusion in private package registry.
• Public-facing app exploitation. n-day against unpatched edge devices (VPN appliances, mail gateways, firewalls). Ivanti, Citrix NetScaler, FortiGate, Pulse Secure — all repeatedly used by sustained actors.
• Valid accounts. Purchased credentials, infostealer logs, prior breach reuse. Cheap, quiet, hard to attribute.
• Trusted-relationship abuse. Compromise an MSP, ride their privileged access into multiple customers.

Windows persistence — ranked by observed APT preference

1. Scheduled task with COM trigger. Survives reboot, can run as SYSTEM, can be triggered by user logon. Defender sweeps Run keys first; tasks lag.
2. Service with binary path hijack. Legitimate service, attacker replaces ImagePath or binary. Survives restarts, runs SYSTEM.
3. WMI event subscription. __EventFilter + __EventConsumer + __FilterToConsumerBinding. Persistent, runs SYSTEM, often missed in autoruns scans.
4. Run / RunOnce keys. Classic. First place defender looks. Use as decoy if anything.
5. COM hijack. Register attacker DLL as CLSID handler. Triggers when any app instantiates that COM object.
6. BITS job. Background Intelligent Transfer Service job that downloads + executes. Long-lived, native, low-noise.
7. Image File Execution Options. "Debugger" key attached to e.g. notepad.exe — every notepad launch runs attacker binary first.
8. Group Policy preferences. Domain-wide persistence via GPO if attacker has Domain Admin. Most powerful, most detectable.
9. Office add-in / template. Word/Excel add-in or normal.dotm. Triggers on every Office launch.

Discovery + impact assessment without tipping the adversary

1. Read-only triage. No active sweeps. Pull EDR telemetry, network flow logs, DNS queries for the affected host. Don't touch the host.
2. Scope laterally from telemetry, not from scans. Match the host's authentication trail (Security Log 4624/4768 events) to identify other hosts the attacker may have touched.
3. Preserve evidence. Memory dump via covert means (live IR tool with low IOCs, or pull snapshot from hypervisor). Disk image after memory.
4. Identify objective. What was the adversary after? Active staging dirs, exfil DNS, beaconing destination tell you what to protect.
5. Plan eviction window. Eviction must be synchronous — kill C2 + reset credentials + rotate certs + revoke tokens all at the same time. Doing it sequentially gives the adversary time to re-establish.
6. Communicate sparingly. Only the IR team + named exec sponsor. Email about the incident travels through systems the adversary may control.

Attribution — overlap analysis

• Tooling overlap. Specific custom backdoor families are reliably tied to specific actors (HAFNIUM China-Chopper variants, APT28 X-Agent, Sandworm Cyclops Blink). Public + open-source tooling (Cobalt Strike, Sliver) gives weak attribution.
• Infrastructure overlap. C2 IP reuse, certificate reuse, hosting provider patterns. Single shared cert across two intrusions = strong link.
• TTP overlap. Order of operations, characteristic command-line patterns, characteristic LOLBin choices.
• Caveat. Attribution is a probabilistic claim. State "consistent with TTPs reported as X" not "is X". Public attribution prematurely is how vendors burn credibility.