This is the step where we want to get as much information about our opponent without being intrusive. Things like target address ranges, namespace acquisitions, and information that will be beneficial in deeper attacks.
This is where we want to assess our opponent’s systems. What operating system do they use? What ports are they listening on? We are looking for vulnerable places to enter into their systems.
Next, we go a little deeper in our attacks to attempt to identify valid user accounts or poorly protected network shares.
Now that we have some information, we begin to attempt to access our opponent’s computers.
If we have gained a low-level user account, we will now escalate our privilege to that of an administrator equivalency.
We do not want to loose our access to our opponent’s machines; hence, we create backdoors to come back in with privileged access.
Not getting caught, or not having our “new” accounts be erased is important, so we need to hide our activities.