[londons_explore]

Most corporate machines aren't directly on the internet though... How do attackers get through corporate firewalls to access said unpatched machines?

I would guess the easiest way is to phish a login to the corp VPN or to send an email with a malicious attachment to give the attacker something inside the corp firewall as a place to start their port scan of the internal network and begin their attacks.

[alex_anglin]

MITREs ATTaCK [1] matrix is a great resource for describing incidents like these. To answer your question, it is a combination of Initial Access and Lateral Movement techniques that depend upon an attackers aims. They're by no means the only activities involved of course.

https://attack.mitre.org/