Once breached at the endpoint, what does an attacker do? Where is he going? What does he want? Since 1999, Microsoft has made the Windows Domain the âheartâ of the network. Once accessed, it permits the attacker to control the organization - undetected and indefinitely. This presentation will discuss all moves an attacker can make to go from a compromised machine to achieve his goal from a statistical point of view; we will present the probability of detection and evidence-gathering for any move made along the way.