The phase described where John, after gaining initial access, is attempting to obtain administrative

credentials to further access systems within the network, is known as the 'Expansion' phase of an

Advanced Persistent Threat (APT) lifecycle. This phase involves the attacker expanding their foothold

within the target's environment, often by escalating privileges, compromising additional systems,

and moving laterally through the network. The goal is to increase control over the network and

maintain persistence for ongoing access. This phase follows the initial intrusion and sets the stage for

establishing long-term presence and eventual data exfiltration or other malicious objectives.

Reference:

MITRE ATT&CK Framework, specifically the tactics related to Credential Access and Lateral

Movement

"APT Lifecycle: Detecting the Undetected," a whitepaper by CyberArk