Gaining Access to the Network
Introduction
The first phase of the Unified Kill Chain model is Gaining an Initial Foothold. The first stage within this phase is the Gaining Access to the Network. This stage focuses on how the adversaries infiltrate a target environment to establish unauthorised access. This phase is critical, as it lays the foundation for subsequent stages of an attack, such as lateral movement and data exfiltration. Understanding the tactics and techniques attackers use during this phase is essential for effective threat detection, investigation, and response. The following techniques are commonly employed by attackers to achieve initial access in, for example, a Windows environment:
Exploiting Public-Facing Applications: Attackers often target vulnerabilities in web applications or services exposed to the internet, such as web servers or APIs, to inject malicious code or gain unauthorised access.
Phishing: Malicious emails designed to trick users into clicking on links or opening attachments containing malware remain one of the most prevalent methods for gaining initial access.
External Remote Services: Attackers exploit poorly secured remote access protocols like RDP, VPNs, or SSH to gain a foothold, often using brute force or stolen credentials.
Valid Accounts: Using compromised or stolen credentials, attackers log in as legitimate users to bypass basic security measures.
Drive-by Compromise: By hosting malicious code on compromised or rogue websites, attackers trick users into downloading malware during regular browsing.
Supply Chain Compromise: Adversaries infiltrate third-party vendors or software providers to distribute malware through legitimate software updates or packages.
Trusted Relationships: Exploiting relationships with trusted third-party vendors or partners to gain access to internal systems.
Replication Through Removable Media: The use of infected USB drives or other removable media to deliver malicious payloads when connected to the target system.
By applying the Unified Kill Chain model, investigators can systematically analyse the techniques used during this phase, identify relevant indicators of compromise (IOCs), and map the attacker’s behaviour to defensive strategies. This structured approach enhances detection and response efforts, enabling defenders to disrupt adversaries early in the attack lifecycle.
The following are basic KQL, Velociraptor, and Splunk queries used to investigate these techniques.
KQL (Microsoft Sentinel), Velociraptor VQL, and Splunk SPL to investigate each of the techniques in Phase 1 – Gaining an Initial Foothold, along with descriptions of what each query does and multiple query examples for each technique.
1. Exploiting Public-Facing Applications
Attackers often exploit vulnerabilities in public-facing applications, such as web servers or APIs, to gain unauthorised access.
KQL Queries
Identify SQL Injection Attempts
Description: Searches for potential SQL injection patterns in application logs, such as "select *" or explicit "sql injection" alerts.
AzureDiagnostics
| where Message contains "sql injection" or Message contains "select *"
| summarize count() by Message, ClientIP, TimeGeneratedDetect Unusual POST Requests
AzureDiagnostics
| where Method == "POST" and UrlPath contains ".php"
| summarize count() by ClientIP, UrlPath, TimeGeneratedDescription: Identifies suspicious POST requests targeting .php files, often used in web application attacks.
Monitor Error Messages Suggesting Vulnerabilities
AzureDiagnostics
| where Message contains "500 Internal Server Error" or Message contains "unauthorized"
| summarize count() by ClientIP, Message, TimeGeneratedDescription: Detects repeated error messages that could indicate exploitation attempts.
Velociraptor VQL
SELECT * FROM Audit.WindowsEventLogs
WHERE EventID = 4688 AND EventData.CommandLine =~ "cmd.exe /c"Description: Identifies suspicious command-line executions that attackers might trigger through exploited applications.
Detect Web Shell Creation
SELECT * FROM FileSystem
WHERE path =~ "C:\\inetpub\\wwwroot\\*.aspx"Description: Searches for newly created web shell files in common IIS server directories.
Identify Abnormal HTTP Traffic
SELECT * FROM Network.HTTP
WHERE UserAgent =~ "sqlmap"Description: Detects traffic from automated tools like SQLmap, often used for exploitation.
Splunk SPL
index=web_logs sourcetype=access_combined
| search uri_query="*union*" OR uri_query="*select*"
| stats count by clientip, uri_queryDescription: Searches for SQL injection attempts by filtering for SQL keywords in URL queries.
POST Requests with Large Payloads
index=web_logs sourcetype=access_combined
| search method="POST" content_length > 10000
| stats count by clientip, uriDescription: Detects large POST requests, potentially used for uploading malicious payloads.
Frequent 404 Errors
index=web_logs sourcetype=access_combined
| search status="404"
| stats count by clientip, uriDescription: Flags repeated 404 errors, which may indicate probing or scanning activities.
2. Phishing
Attackers deliver malicious payloads or steal credentials through phishing emails.
KQL Queries
Identify Emails from Suspicious Domains
EmailEvents
| where SenderDomain endswith ".ru" or SenderDomain endswith ".cn"
| summarize count() by Sender, Subject, ReceivedTimeDescription: Searches for emails from unusual or high-risk domains.
Monitor for Malicious Attachments
EmailAttachmentInfo
| where FileName endswith ".exe" or FileName endswith ".docm"
| summarize count() by FileName, Sender, ReceivedTimeDescription: Identifies emails containing potentially malicious attachments.
Flag Emails with Suspicious Subjects
EmailEvents
| where Subject contains "urgent" or Subject contains "invoice"
| summarize count() by Sender, Subject, ReceivedTimeDescription: Look for common phishing subject lines, such as "urgent" or "invoice."
Velociraptor VQL
Search for Suspicious Office Documents
SELECT * FROM FileSystem
WHERE filename =~ ".*\\.docm$"Description: Finds recently created Office documents with macros enabled.
Identify PowerShell Commands
SELECT * FROM Processes
WHERE cmdline =~ ".*PowerShell.*DownloadString.*"Description: Detects PowerShell usage commonly associated with malicious payloads.
Monitor New Executables in Downloads Folder
SELECT * FROM FileSystem
WHERE path =~ "C:\\Users\\*\\Downloads\\*.exe"Description: Flags newly downloaded executables.
Splunk SPL
Email Attachment Analysis
index=email sourcetype=mail_logs
| search attachment="*.exe" OR attachment="*.docm"
| stats count by sender, attachmentDescription: Identifies suspicious attachments in emails.
High Volume Emails from Single Sender
index=email sourcetype=mail_logs
| stats count by sender
| where count > 5Description: Flags high email volume from a single sender, potentially indicative of phishing campaigns.
Keywords in Email Subject
index=email sourcetype=mail_logs
| search subject="*urgent*" OR subject="*payment*"
| stats count by sender, subjectDescription: Searches for phishing-like keywords in email subjects.
3. External Remote Services
Attackers exploit remote access services like RDP, VPNs, or SSH to gain a foothold.
KQL Queries
Detect RDP Authentication Failures
SecurityEvent
| where EventID == 4625 and LogonType == 10
| summarize count() by Account, IPAddress, TimeGeneratedDescription: Flags failed RDP login attempts (LogonType 10).
VPN Logon from Unusual Locations
SigninLogs
| where AppDisplayName == "VPN" and Location != "ExpectedLocation"
| summarize count() by UserPrincipalName, Location, TimeGeneratedDescription: Detects VPN logins from unexpected geographic locations.
Repeated Brute-Force Attempts
SigninLogs
| where Status == "Failure" and ResultDescription contains "Invalid credentials"
| summarize Count=count() by UserPrincipalName, IPAddress, TimeGeneratedDescription: Identifies accounts targeted by brute-force attacks.
Velociraptor VQL
Search for Failed Logins
SELECT * FROM Audit.WindowsEventLogs
WHERE EventID = 4625 AND EventData.LogonType = "10"Description: Finds failed login attempts for RDP sessions.
Monitor Remote Services
SELECT * FROM Processes
WHERE cmdline =~ ".*mstsc.exe.*"Description: Tracks usage of the mstsc.exe utility for remote desktop sessions.
Monitor for VPN Software Execution
SELECT * FROM Processes
WHERE cmdline =~ ".*openvpn.*"Description: Detects OpenVPN usage, which could indicate unauthorized remote access.
Splunk SPL
Failed RDP Logins
index=authentication sourcetype=windows:security
| search EventCode=4625 LogonType=10
| stats count by AccountName, src_ipDescription: Flags failed RDP login attempts.
VPN Logins from New Locations
index=authentication sourcetype=vpn_logs
| stats dc(Location) by user
| where dc(Location) > 1Description: Identifies VPN logins from unusual locations for the same user.
Repeated Login Failures
index=authentication sourcetype=windows:security
| search EventCode=4625
| stats count by src_ip, AccountNameDescription: Highlights accounts targeted by repeated login failures.
The included descriptions and multiple queries for each technique should aid the investigations using KQL, Velociraptor, and Splunk, ultimately enhancing the detection and response capabilities in a Windows environment.
Last updated