Gaining Access to the Network

Introduction

The first phase of the Unified Kill Chain model is Gaining an Initial Foothold. The first stage within this phase is the Gaining Access to the Network. This stage focuses on how the adversaries infiltrate a target environment to establish unauthorised access. This phase is critical, as it lays the foundation for subsequent stages of an attack, such as lateral movement and data exfiltration. Understanding the tactics and techniques attackers use during this phase is essential for effective threat detection, investigation, and response. The following techniques are commonly employed by attackers to achieve initial access in, for example, a Windows environment:

• Exploiting Public-Facing Applications: Attackers often target vulnerabilities in web applications or services exposed to the internet, such as web servers or APIs, to inject malicious code or gain unauthorised access.

• Phishing: Malicious emails designed to trick users into clicking on links or opening attachments containing malware remain one of the most prevalent methods for gaining initial access.

• External Remote Services: Attackers exploit poorly secured remote access protocols like RDP, VPNs, or SSH to gain a foothold, often using brute force or stolen credentials.

• Valid Accounts: Using compromised or stolen credentials, attackers log in as legitimate users to bypass basic security measures.

• Drive-by Compromise: By hosting malicious code on compromised or rogue websites, attackers trick users into downloading malware during regular browsing.

• Supply Chain Compromise: Adversaries infiltrate third-party vendors or software providers to distribute malware through legitimate software updates or packages.

• Trusted Relationships: Exploiting relationships with trusted third-party vendors or partners to gain access to internal systems.

• Replication Through Removable Media: The use of infected USB drives or other removable media to deliver malicious payloads when connected to the target system.

By applying the Unified Kill Chain model, investigators can systematically analyse the techniques used during this phase, identify relevant indicators of compromise (IOCs), and map the attacker’s behaviour to defensive strategies. This structured approach enhances detection and response efforts, enabling defenders to disrupt adversaries early in the attack lifecycle.

The following are basic KQL, Velociraptor, and Splunk queries used to investigate these techniques.

KQL (Microsoft Sentinel), Velociraptor VQL, and Splunk SPL to investigate each of the techniques in Phase 1 – Gaining an Initial Foothold, along with descriptions of what each query does and multiple query examples for each technique.

1. Exploiting Public-Facing Applications

Attackers often exploit vulnerabilities in public-facing applications, such as web servers or APIs, to gain unauthorised access.

KQL Queries

1. dentify SQL Injection Attempts

Identify SQL Injection Attempts

Description: Searches for potential SQL injection patterns in application logs, such as "select *" or explicit "sql injection" alerts.

AzureDiagnostics
| where Message contains "sql injection" or Message contains "select *"
| summarize count() by Message, ClientIP, TimeGenerated

2. Detect Unusual POST Requests

Detect Unusual POST Requests

AzureDiagnostics
| where Method == "POST" and UrlPath contains ".php"
| summarize count() by ClientIP, UrlPath, TimeGenerated

Description: Identifies suspicious POST requests targeting .php files, often used in web application attacks.

3. Monitor Error Messages Suggesting Vulnerabilities

Monitor Error Messages Suggesting Vulnerabilities

AzureDiagnostics
| where Message contains "500 Internal Server Error" or Message contains "unauthorized"
| summarize count() by ClientIP, Message, TimeGenerated

Description: Detects repeated error messages that could indicate exploitation attempts.

Velociraptor VQL

1. Search for Command Execution in Logs

SELECT * FROM Audit.WindowsEventLogs
WHERE EventID = 4688 AND EventData.CommandLine =~ "cmd.exe /c"

Description: Identifies suspicious command-line executions that attackers might trigger through exploited applications.

2. Detect Web Shell Creation

Detect Web Shell Creation

SELECT * FROM FileSystem 
WHERE path =~ "C:\\inetpub\\wwwroot\\*.aspx"

Description: Searches for newly created web shell files in common IIS server directories.

3. Identify Abnormal HTTP Traffic

Identify Abnormal HTTP Traffic

SELECT * FROM Network.HTTP
WHERE UserAgent =~ "sqlmap"

Description: Detects traffic from automated tools like SQLmap, often used for exploitation.

Splunk SPL

1. SQL Injection Detection

index=web_logs sourcetype=access_combined
| search uri_query="*union*" OR uri_query="*select*" 
| stats count by clientip, uri_query

Description: Searches for SQL injection attempts by filtering for SQL keywords in URL queries.

2. POST Requests with Large Payloads

POST Requests with Large Payloads

index=web_logs sourcetype=access_combined
| search method="POST" content_length > 10000
| stats count by clientip, uri

Description: Detects large POST requests, potentially used for uploading malicious payloads.

3. Frequent 404 Errors

Frequent 404 Errors

index=web_logs sourcetype=access_combined
| search status="404"
| stats count by clientip, uri

Description: Flags repeated 404 errors, which may indicate probing or scanning activities.

---

2. Phishing

Attackers deliver malicious payloads or steal credentials through phishing emails.

KQL Queries

1. Identify Emails from Suspicious Domains

Identify Emails from Suspicious Domains

EmailEvents
| where SenderDomain endswith ".ru" or SenderDomain endswith ".cn"
| summarize count() by Sender, Subject, ReceivedTime

Description: Searches for emails from unusual or high-risk domains.

2. Monitor for Malicious Attachments

Monitor for Malicious Attachments

EmailAttachmentInfo
| where FileName endswith ".exe" or FileName endswith ".docm"
| summarize count() by FileName, Sender, ReceivedTime

Description: Identifies emails containing potentially malicious attachments.

3. Flag Emails with Suspicious Subjects

Flag Emails with Suspicious Subjects

EmailEvents
| where Subject contains "urgent" or Subject contains "invoice"
| summarize count() by Sender, Subject, ReceivedTime

Description: Look for common phishing subject lines, such as "urgent" or "invoice."

Velociraptor VQL

1. Search for Suspicious Office Documents

Search for Suspicious Office Documents

SELECT * FROM FileSystem
WHERE filename =~ ".*\\.docm$"

Description: Finds recently created Office documents with macros enabled.

2. Identify PowerShell Commands

Identify PowerShell Commands

SELECT * FROM Processes
WHERE cmdline =~ ".*PowerShell.*DownloadString.*"

Description: Detects PowerShell usage commonly associated with malicious payloads.

3. Monitor New Executables in Downloads Folder

Monitor New Executables in Downloads Folder

SELECT * FROM FileSystem
WHERE path =~ "C:\\Users\\*\\Downloads\\*.exe"

Description: Flags newly downloaded executables.

Splunk SPL

1. Email Attachment Analysis

Email Attachment Analysis

index=email sourcetype=mail_logs
| search attachment="*.exe" OR attachment="*.docm"
| stats count by sender, attachment

Description: Identifies suspicious attachments in emails.

2. High Volume Emails from Single Sender

High Volume Emails from Single Sender

index=email sourcetype=mail_logs
| stats count by sender
| where count > 5

Description: Flags high email volume from a single sender, potentially indicative of phishing campaigns.

3. Keywords in Email Subject

Keywords in Email Subject

index=email sourcetype=mail_logs
| search subject="*urgent*" OR subject="*payment*"
| stats count by sender, subject

Description: Searches for phishing-like keywords in email subjects.

---

3. External Remote Services

Attackers exploit remote access services like RDP, VPNs, or SSH to gain a foothold.

KQL Queries

1. Detect RDP Authentication Failures

Detect RDP Authentication Failures

SecurityEvent
| where EventID == 4625 and LogonType == 10
| summarize count() by Account, IPAddress, TimeGenerated

Description: Flags failed RDP login attempts (LogonType 10).

2. VPN Logon from Unusual Locations

VPN Logon from Unusual Locations

SigninLogs
| where AppDisplayName == "VPN" and Location != "ExpectedLocation"
| summarize count() by UserPrincipalName, Location, TimeGenerated

Description: Detects VPN logins from unexpected geographic locations.

3. Repeated Brute-Force Attempts

Repeated Brute-Force Attempts

SigninLogs
| where Status == "Failure" and ResultDescription contains "Invalid credentials"
| summarize Count=count() by UserPrincipalName, IPAddress, TimeGenerated

Description: Identifies accounts targeted by brute-force attacks.

Velociraptor VQL

1. Search for Failed Logins

Search for Failed Logins

SELECT * FROM Audit.WindowsEventLogs
WHERE EventID = 4625 AND EventData.LogonType = "10"

Description: Finds failed login attempts for RDP sessions.

2. Monitor Remote Services

Monitor Remote Services

SELECT * FROM Processes
WHERE cmdline =~ ".*mstsc.exe.*"

Description: Tracks usage of the mstsc.exe utility for remote desktop sessions.

3. Monitor for VPN Software Execution

Monitor for VPN Software Execution

SELECT * FROM Processes
WHERE cmdline =~ ".*openvpn.*"

Description: Detects OpenVPN usage, which could indicate unauthorized remote access.

Splunk SPL

1. Failed RDP Logins

Failed RDP Logins

index=authentication sourcetype=windows:security
| search EventCode=4625 LogonType=10
| stats count by AccountName, src_ip

Description: Flags failed RDP login attempts.

2. VPN Logins from New Locations

VPN Logins from New Locations

index=authentication sourcetype=vpn_logs
| stats dc(Location) by user
| where dc(Location) > 1

Description: Identifies VPN logins from unusual locations for the same user.

3. Repeated Login Failures

Repeated Login Failures

index=authentication sourcetype=windows:security
| search EventCode=4625
| stats count by src_ip, AccountName

Description: Highlights accounts targeted by repeated login failures.

---

The included descriptions and multiple queries for each technique should aid the investigations using KQL, Velociraptor, and Splunk, ultimately enhancing the detection and response capabilities in a Windows environment.