Everything I see here should be detected by modern standard defenses. This attack chain doesn't even read like an APT to me; it reads like a cybercrime group.
What am I missing?
Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials | Microsoft Security Blog
Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. Microsoft has issued a security update addressing this vulnerability as CVE-2022-38028.