The first phase of the Unified Kill Chain model is Gaining an Initial Foothold. The first stage within this phase is the Gaining Access to the Network. This stage focuses on how the adversaries infiltrate a target environment to establish unauthorised access. This phase is critical, as it lays the foundation for subsequent stages of an attack, such as lateral movement and data exfiltration. Understanding the tactics and techniques attackers use during this phase is essential for effective threat detection, investigation, and response. The following techniques are commonly employed by attackers to achieve initial access in, for example, a Windows environment:
Exploiting Public-Facing Applications: Attackers often target vulnerabilities in web applications or services exposed to the internet, such as web servers or APIs, to inject malicious code or gain unauthorised access.
Phishing: Malicious emails designed to trick users into clicking on links or opening attachments containing malware remain one of the most prevalent methods for gaining initial access.
External Remote Services: Attackers exploit poorly secured remote access protocols like RDP, VPNs, or SSH to gain a foothold, often using brute force or stolen credentials.
Valid Accounts: Using compromised or stolen credentials, attackers log in as legitimate users to bypass basic security measures.
Drive-by Compromise: By hosting malicious code on compromised or rogue websites, attackers trick users into downloading malware during regular browsing.
Supply Chain Compromise: Adversaries infiltrate third-party vendors or software providers to distribute malware through legitimate software updates or packages.
Trusted Relationships: Exploiting relationships with trusted third-party vendors or partners to gain access to internal systems.
Replication Through Removable Media: The use of infected USB drives or other removable media to deliver malicious payloads when connected to the target system.
By applying the Unified Kill Chain model, investigators can systematically analyse the techniques used during this phase, identify relevant indicators of compromise (IOCs), and map the attacker’s behaviour to defensive strategies. This structured approach enhances detection and response efforts, enabling defenders to disrupt adversaries early in the attack lifecycle.
The following are basic KQL, Velociraptor, and Splunk queries used to investigate these techniques.
KQL (Microsoft Sentinel), Velociraptor VQL, and Splunk SPL to investigate each of the techniques in Phase 1 – Gaining an Initial Foothold, along with descriptions of what each query does and multiple query examples for each technique.
1. Exploiting Public-Facing Applications
Attackers often exploit vulnerabilities in public-facing applications, such as web servers or APIs, to gain unauthorised access.
KQL Queries
Identify SQL Injection Attempts
Description: Searches for potential SQL injection patterns in application logs, such as "select *" or explicit "sql injection" alerts.
AzureDiagnostics
| where Message contains "sql injection" or Message contains "select *"
| summarize count() by Message, ClientIP, TimeGenerated
Detect Unusual POST Requests
AzureDiagnostics
| where Method == "POST" and UrlPath contains ".php"
| summarize count() by ClientIP, UrlPath, TimeGenerated
Description: Identifies suspicious POST requests targeting .php files, often used in web application attacks.
Monitor Error Messages Suggesting Vulnerabilities
AzureDiagnostics
| where Message contains "500 Internal Server Error" or Message contains "unauthorized"
| summarize count() by ClientIP, Message, TimeGenerated
Description: Detects repeated error messages that could indicate exploitation attempts.
Velociraptor VQL
SELECT * FROM Audit.WindowsEventLogs
WHERE EventID = 4688 AND EventData.CommandLine =~ "cmd.exe /c"
Description: Identifies suspicious command-line executions that attackers might trigger through exploited applications.
Detect Web Shell Creation
SELECT * FROM FileSystem
WHERE path =~ "C:\\inetpub\\wwwroot\\*.aspx"
Description: Searches for newly created web shell files in common IIS server directories.
Identify Abnormal HTTP Traffic
SELECT * FROM Network.HTTP
WHERE UserAgent =~ "sqlmap"
Description: Detects traffic from automated tools like SQLmap, often used for exploitation.
Splunk SPL
index=web_logs sourcetype=access_combined
| search uri_query="*union*" OR uri_query="*select*"
| stats count by clientip, uri_query
Description: Searches for SQL injection attempts by filtering for SQL keywords in URL queries.
POST Requests with Large Payloads
index=web_logs sourcetype=access_combined
| search method="POST" content_length > 10000
| stats count by clientip, uri
Description: Detects large POST requests, potentially used for uploading malicious payloads.
Frequent 404 Errors
index=web_logs sourcetype=access_combined
| search status="404"
| stats count by clientip, uri
Description: Flags repeated 404 errors, which may indicate probing or scanning activities.
2. Phishing
Attackers deliver malicious payloads or steal credentials through phishing emails.
KQL Queries
Identify Emails from Suspicious Domains
EmailEvents
| where SenderDomain endswith ".ru" or SenderDomain endswith ".cn"
| summarize count() by Sender, Subject, ReceivedTime
Description: Searches for emails from unusual or high-risk domains.
Monitor for Malicious Attachments
EmailAttachmentInfo
| where FileName endswith ".exe" or FileName endswith ".docm"
| summarize count() by FileName, Sender, ReceivedTime
SigninLogs
| where AppDisplayName == "VPN" and Location != "ExpectedLocation"
| summarize count() by UserPrincipalName, Location, TimeGenerated
Description: Detects VPN logins from unexpected geographic locations.
Repeated Brute-Force Attempts
SigninLogs
| where Status == "Failure" and ResultDescription contains "Invalid credentials"
| summarize Count=count() by UserPrincipalName, IPAddress, TimeGenerated
Description: Identifies accounts targeted by brute-force attacks.
Velociraptor VQL
Search for Failed Logins
SELECT * FROM Audit.WindowsEventLogs
WHERE EventID = 4625 AND EventData.LogonType = "10"
Description: Finds failed login attempts for RDP sessions.
Monitor Remote Services
SELECT * FROM Processes
WHERE cmdline =~ ".*mstsc.exe.*"
Description: Tracks usage of the mstsc.exe utility for remote desktop sessions.
Monitor for VPN Software Execution
SELECT * FROM Processes
WHERE cmdline =~ ".*openvpn.*"
Description: Detects OpenVPN usage, which could indicate unauthorized remote access.
Description: Highlights accounts targeted by repeated login failures.
The included descriptions and multiple queries for each technique should aid the investigations using KQL, Velociraptor, and Splunk, ultimately enhancing the detection and response capabilities in a Windows environment.