ECQ needs to select the target and clearly define the objectives. A considerable amount of reconnaissance works such as social engineering are expected in this phase. ECQ would also need to find out the security controls that they might face and create evasion and response plan in the event something goes awry.

ECQ may acquire, build tools and implants that are specific to the targets and objectives. Preparation for an attack normally also involves with security research to discover zero-day vulnerability (undisclosed security issue) in software or hardware used by the target organization or develop 1-day vulnerability (freshly released security issue).

After completing all the necessary reconnaissance and preparation, ECQ delivers the artifact and dropper to the target infrastructure via spearphishing, USB, watering-hole, or simply exploiting vulnerable public services such as web services or applications and mail server.

ECQ transfers additional tools and exploit code to the initial compromised target in an attempt to escalate privilege to become root or administrator and maintain persistent access to the target. Techniques such as implanting rootkit, capturing input, modifying registry and startup services, and process binding are normally executed during this phase.

Expansion or lateral movement is perhaps one of the most important phases in an APT attack where ECQ tries to expand controls of the target network in search of valuable information. The initial compromised system can be used as a proxy to help the Consultant further infiltrate the network. ECQ will also attempt to exploit and maintain persistence over strategic servers or network devices that can be used to initiate outbound connection, store and transfer data, or simply sniff for inbound and outbound data.

ECQ's Command & Control (C2) infrastructure helps establish and maintain connectivity with the implants inside the target network. Communication with ECQ's C2 server is established over multiple channels and protocols such as HTTPS, ICMP, DNS, Twitter, and many more. Deployed implants can operate in interactive and non-interactive mode with the C2. In cases where Internet access is limited or connectivity with C2 is not possible, ECQ's implant can also work in P2P mode.

Depends on the predefined objective with the organization, ECQ will proceed to simulate impact of an APT attack to illustrate true risk in the event an adversary were able to reach to this stage.

Impacts simulated by ECQ include exfiltration of sensitive financial or secret data, create a fake financial transaction from the Core Banking or SWIFT zone, or disrupt an operation of an ICS/SCADA plant.