Stage 9 Action on Objectives

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
Stage 9: Action on Objectives
The final stage of the Identity Attack Chain where accumulated identity access transforms into operational impact. Unlike traditional attacks relying on malware, modern adversaries execute objectives directly through compromised user, admin, or machine identities.
Attack Execution and Common Objectives
Data Exfiltration
High-value business data extraction through authorized identity access, often targeting sensitive mailboxes, cloud storage at scale, and proprietary intellectual property using legitimate credentials.
Infrastructure Disruption
Operational sabotage through cloud resource deletion, CI/CD pipeline manipulation, control plane permission elevation, and infrastructure shutdown using privileged cloud roles.
Identity Weaponization
Creation of new privileged identities, SaaS application takeover, executive impersonation for fraud, and automated exfiltration through service principals without malware deployment.
In identity-centric attacks, the compromised identity itself becomes the primary weapon. Attackers leverage accumulated permissions to execute extortion preparation, supply chain manipulation, financial fraud, and third-party system pivoting—all through seemingly legitimate authentication.
Detection and Prevention Framework
1
Critical Misconfigurations
MC-062: Excessive Cloud IAM Permissions enable destructive high-impact actions
MC-107: Weak Directory Role Governance allows undetected admin abuse
MC-138: Overprivileged API/Machine Identities facilitate automated exfiltration
MC-090: Privilege Creep grants silent administrative reach over time
MC-075: Weak Network Segmentation permits remote critical action execution
MC 001-524
Identity Misconfiguration Universe(IMU)
2
Detection Logic
DL-041: High-Sensitivity Access Spike monitoring for sudden impact operations
DL-052: Machine Identity anomaly detection from non-associated hosts
DL-056: Cross-Application Token Replay tracking across SaaS platforms
DL-068: Session Replay Behavioral Outlier identification
DL-047: Unusual Data Exfiltration via Identity monitoring
DL 041-080
Identity Threat Detection Logic Library(ITDLL)
Threat Intelligence and Attack Chain Context
Identity Attack Chain (IAC)
1
Stage 6: Token Acquisition
Credentials harvested and authentication tokens obtained
2
Stage 7: Lateral Movement
Identities leveraged across systems and applications
3
Stage 8: Persistence
Continuous access mechanisms established
4
Stage 9: Objectives
Mission goals executed through identity
Stage 6 
Stage 7
Stage 8
Stage 9
Active Threat Actors Exploiting Stage 9
Identity-Centric Threat Actor Models(ICTAM)
ICTAM 001-010
ICTAM 011-020
Volt Typhoon (ICTAM-004): Operational disruption campaigns
APT29 (ICTAM-001): Espionage and mailbox exfiltration
BlackCat (ICTAM-009): Identity-only ransomware deployment
LockBit (ICTAM-011): Cloud storage exfiltration operations
Malicious Insider (ICTAM-017): Identity-led business disruption
Breach Patterns Using Stage 9
Identity Breach Patterns Library(IBP)
1
BP 040
BP-040
Cross-Cloud Identity Exfiltration
2
BP 031
BP-031
Privileged Mailbox Access
3
BP 043
BP-043
Identity-Led Ransomware
4
BP 044
BP-044
Control Plane Sabotage
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
Back to IAC
 
 