Initial Access (TA0001) Techniques

Introduction

Investigating initial access in a network, particularly in Windows workstations and server systems, involves a structured approach to identify how an unauthorised entity first gained entry. This process is critical for understanding the scope and impact of a security incident.

Initial Preparation and Response

• Initial Assessment: Confirm the breach and assess the scope.

• Secure Your Environment: Ensure the investigation is conducted securely to prevent further compromise.

• Containment: Isolate affected systems to prevent lateral movement or further damage.

• Preserve Evidence: Immediately secure and preserve logs and data that could be critical for the investigation.

Identify Entry Points

• Review Logs: Check security logs, system logs, application logs, and firewall logs for unusual activities.

• Analyse Network Traffic: Look for anomalies in network traffic that could indicate unauthorised access.

• Examine Entry Points: Common entry points include email (phishing), remote desktop protocol (RDP), web applications, and external devices.

System-Specific Investigations

• Windows Workstation:

  • Check Event Viewer for login attempts, application errors, and system messages.

  • Analyse the Windows Security Logs for failed login attempts or unusual successful logins.

  • Use tools like Process Explorer to examine running processes for signs of malicious activity.

• Windows Server:

  • Examine IIS logs if the server hosts web applications.

  • Review Active Directory logs for unauthorised changes.

  • Check database logs to see if the server hosts critical databases.

Forensic Analysis

• Disk and Memory Forensics: Use tools like Volatility for memory analysis and Autopsy for disk forensics.

• Timeline Analysis: Build a timeline of events to understand the sequence of actions taken by the attacker.

• Artifact Analysis: Examine files, registry entries, and other system artefacts for signs of tampering or unauthorised access.

Malware Analysis (If Applicable)

• Identify Malware: Use antivirus scans and malware analysis tools to identify and analyse malicious software.

• Reverse Engineering: If skilled resources are available, reverse-engineering malware can provide insights into its capabilities and origin.

Utilise Threat Intelligence

• Cross-reference Indicators of Compromise (IoCs): Compare findings with known IoCs from threat intelligence sources.

• Contextualise the Attack: Understand if the attack is part of a more extensive campaign or linked to known threat actors.

Interviews and Internal Investigation

• Conduct Interviews: Talk to users who might have witnessed unusual activities or received phishing emails.

• Review Internal Policies: Check for any recent changes in network or security policies that could have opened vulnerabilities.

Documentation and Reporting

• Detail Findings: Document every step taken and evidence found during the investigation.

• Report to Stakeholders: Provide clear and comprehensive reports to relevant stakeholders, including technical details and business impact.

Post-Investigation Actions

• Remediation: Address the identified vulnerabilities and entry points.

• Monitoring: Enhance monitoring capabilities to detect similar attempts in the future.

• Lessons Learned: Conduct a post-mortem to improve security posture and response capabilities.

Legal and Compliance Considerations

• Legal Compliance: Ensure the investigation complies with legal requirements and industry standards.

• Data Protection: Be mindful of privacy and data protection laws when handling sensitive information.

Forensic investigation of initial access is a meticulous and detailed process. Each step is critical to uncovering the full scope of the intrusion and preventing future incidents. Stay updated with the latest forensic techniques and tools as cyber threats evolve.

Using KQL to Investigate Initial Access Activities in an Environment Using Defender/Sentinel

Initial Access is the first stage in the attack lifecycle, where adversaries gain entry into a network.

Note: While there are more straightforward methods for looking at these kinds of attacks, the goal is to tackle them from a beginner's point of view without utilising intricate KQL queries that a Junior SOC analyst would find challenging to understand the intent of the query.

1. T1190 - Exploit Public-Facing Application

Objective: Detect attempts to exploit vulnerabilities in public-facing applications to gain unauthorised access.

1. Detect Unusual HTTP POST Requests

   Purpose: Identify suspicious POST requests that might exploit attempt.

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where ProcessCommandLine has "POST" | summarize count() by RemoteIP, LocalIP | where count() > 10

1. Monitor Web Server Logs for Exploit Patterns

   Purpose: Detect patterns in web logs that may indicate exploitation.

DeviceFileEvents | where FolderPath has "IIS\\Logs" or FolderPath has "Apache\\Logs" | where FileName contains ".log" | summarize count() by FileName, DeviceName, FilePath

1. Detect Suspicious Input in Web Forms

   Purpose: Identify attempts at SQL injection or XSS.

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where ProcessCommandLine has_any ("<script>", "UNION SELECT", "' OR 1=1") | project Timestamp, DeviceName, ProcessCommandLine

1. Identify Access to Vulnerable Endpoints

   Purpose: Detect attempts to access known vulnerable endpoints.

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where ProcessCommandLine has_any ("admin", "login", "upload") | summarize count() by RemoteIP, LocalIP

1. Monitor for Known Exploit Tools

   Purpose: Identify the use of automated tools to exploit web applications.

DeviceProcessEvents | where ProcessCommandLine has_any ("sqlmap", "metasploit", "dirbuster") | project Timestamp, DeviceName, ProcessCommandLine

1. Detect Web Shell Uploads

   Purpose: Monitor for the upload of web shells.

DeviceFileEvents | where FileName endswith ".aspx" or FileName endswith ".php" | summarize count() by FileName, DeviceName

1. Monitor for Suspicious GET Requests

   Purpose: Identify GET requests that attempt to execute commands.

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where ProcessCommandLine has "GET" and ProcessCommandLine contains "cmd" | project Timestamp, DeviceName, ProcessCommandLine

1. Detect Suspicious File Uploads

   Purpose: Monitor for excessive file uploads.

DeviceFileEvents | where FolderPath has_any ("uploads", "files", "images") | summarize count() by FileName, DeviceName | where count() > 10

1. Monitor for Exploit Attempts via HTTP Headers

   Purpose: Detect exploit attempts via HTTP headers.

DeviceNetworkEvents | where RemotePort == 80 or RemotePort == 443 | where ProcessCommandLine has_any ("User-Agent:", "Referer:") | project Timestamp, DeviceName, ProcessCommandLine

1. Identify Unexpected Application Behaviour

   Purpose: Monitor for web servers executing unexpected processes.

DeviceProcessEvents | where ProcessCommandLine has "w3wp.exe" or ProcessCommandLine has "httpd.exe" | where ProcessCommandLine has_any ("cmd.exe", "powershell.exe") | project Timestamp, DeviceName, ProcessCommandLine

2. T1078 - Valid Accounts

Objective: Detect unauthorised access using stolen or compromised credentials.

1. Detect Logins from Unusual Locations

   Purpose: Identify logins from unfamiliar IP addresses.

IdentityLogonEvents | where LogonType == "Network" and AccountType == "User" | summarize count() by TargetUserName, IPAddress | where count() > 1

1. Monitor Logins Outside Business Hours

   Purpose: Detect logins occurring outside regular working hours.

IdentityLogonEvents | where LogonResult == "Success" and LogonTime between (startofday(now()) - 7d) and (startofday(now()) - 1d) | where hour(LogonTime) < 6 or hour(LogonTime) > 18 | summarize count() by TargetUserName, LogonTime

1. Detect Failed Login Attempts

   Purpose: Identify multiple failed login attempts.

IdentityLogonEvents | where LogonResult == "Failed" | summarize count() by TargetUserName, DeviceName | where count() > 5`

1. Identify Privileged Account Use

   Purpose: Monitor the usage of privileged accounts.

IdentityLogonEvents | where AccountType == "Privileged" | summarize count() by TargetUserName, DeviceName, LogonTime

1. Detect Logins from Multiple Geolocations

   Purpose: Identify users logging in from multiple geolocations in a short period.

IdentityLogonEvents | summarize locations=make_set(IPAddressCountry) by TargetUserName | where array_length(locations) > 1

1. Monitor for New Account Creations

   Purpose: Detect the creation of new accounts.

IdentityDirectoryEvents | where ActionType == "NewUserCreated" | project Timestamp, TargetUserName, InitiatingProcessAccountName

1. Detect Account Deletions

   Purpose: Monitor for account deletions.

IdentityDirectoryEvents | where ActionType == "UserDeleted" | project Timestamp, TargetUserName, InitiatingProcessAccountName

1. Monitor for Account Privilege Escalation

   Purpose: Detect unauthorised privilege escalations.

IdentityDirectoryEvents | where ActionType == "Add member to role" and RoleName == "Global Administrator" | project Timestamp, TargetUserName, InitiatingProcessAccountName

1. Detect Suspicious Use of Service Accounts

   Purpose: Monitor the use of service accounts.

IdentityLogonEvents | where TargetUserName has "svc-" or TargetUserName has "service" | summarize count() by TargetUserName, DeviceName, LogonTime

1. Identify Logins with Disabled Accounts

   Purpose: Detect login attempts with disabled accounts.

IdentityLogonEvents | where AccountEnabled == "False" | summarize count() by TargetUserName, DeviceName, LogonTime

Purpose: Detect login attempts with disabled accounts.

3. T1195 - Supply Chain Compromise

Objective: Detect indicators of a supply chain compromise where an adversary infiltrates via a third-party service or software.

1. Monitor for New or Unknown Software Installations

   Purpose: Detect installation of software from potentially compromised supply chains.

DeviceProcessEvents | where ProcessCommandLine has_any ("msiexec", "setup.exe", "install.exe") | project Timestamp, DeviceName, ProcessCommandLine

1. Identify Changes to Critical System Files

   Purpose: Monitor for modifications to critical system files.

DeviceFileEvents | where FolderPath has_any ("C:\\Windows", "C:\\Program Files", "C:\\Program Files (x86)") | where FileOperation == "Modify" | project Timestamp, DeviceName, FileName, FolderPath

1. Detect Communication with Known Malicious IPs

   Purpose: Identify communication with IP addresses known to be associated with supply chain attacks.

DeviceNetworkEvents | where RemoteIP in ("known_malicious_ips_list") | project Timestamp, DeviceName, RemoteIP, RemotePort

1. Monitor for Unusual Application Behaviour

   Purpose: Detect unexpected execution of system tools by third-party applications.

DeviceProcessEvents | where ProcessCommandLine has_any ("cmd.exe", "powershell.exe") and InitiatingProcessFileName != "cmd.exe" and InitiatingProcessFileName != "powershell.exe" | project Timestamp, DeviceName, ProcessCommandLine

1. Identify Suspicious DLL Loads

   Purpose: Monitor for DLL loads that may indicate a compromised application.

DeviceImageLoadEvents | where FileName endswith ".dll" and FolderPath has_any ("C:\\Windows", "C:\\Program Files", "C:\\Program Files (x86)") | project Timestamp, DeviceName, FileName, FolderPath

1. Detect New or Unknown Network Connections

   Purpose: Identify new or unknown network connections that could indicate a supply chain attack.

DeviceNetworkEvents | where ActionType == "ConnectionSuccess" and RemoteIP !in ("known_good_ips_list") | summarize count() by RemoteIP, LocalIP | where count() > 5

1. Monitor for Changes to Startup Programs

   Purpose: Detect unauthorised changes to startup programs.

DeviceRegistryEvents | where RegistryKey has "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

1. Identify Unauthorised Code Signing

   Purpose: Monitor for unauthorised code signing that could indicate a compromised application.

DeviceFileEvents | where FileName endswith ".exe" or FileName endswith ".dll" | where FileOperation == "Modify" and CertificateIssuer !in ("trusted_issuers_list") | project Timestamp, DeviceName, FileName, CertificateIssuer

1. Detect Changes to System Services

   Purpose: Identify changes to system services that may be linked to a supply chain compromise.

DeviceServiceEvents | where ActionType == "ServiceInstalled" or ActionType == "ServiceModified" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine

1. Monitor for Suspicious Scripting Activity

   Purpose: Detect the execution of scripts that could be associated with a supply chain attack.

DeviceProcessEvents | where ProcessCommandLine has_any (".ps1", ".vbs", ".bat") | project Timestamp, DeviceName, ProcessCommandLine

4. T1199 - Trusted Relationship

Objective: Detect unauthorised access or activity stemming from a trusted relationship, such as a partner or vendor.

1. Monitor for Logins from Partner Networks

   Purpose: Identify logins originating from partner networks.

IdentityLogonEvents | where IPAddress in ("partner_ip_range") | summarize count() by TargetUserName, DeviceName, LogonTime

1. Detect Unusual Activity from Trusted Accounts

   Purpose: Monitor for unusual activity from accounts associated with trusted relationships.

IdentityLogonEvents | where TargetUserName in ("trusted_account_list") | summarize count() by TargetUserName, DeviceName, LogonTime | where count() > 5

1. Identify Access to Critical Systems by Trusted Accounts

   Purpose: Detect access to critical systems by trusted accounts.

DeviceLogonEvents | where TargetUserName in ("trusted_account_list") and DeviceName in ("critical_systems_list") | summarize count() by TargetUserName, DeviceName, LogonTime

1. Monitor for Changes to Permissions of Trusted Accounts

   Purpose: Detect changes to permissions for trusted accounts.

IdentityDirectoryEvents | where TargetUserName in ("trusted_account_list") and ActionType == "PermissionModified" | project Timestamp, TargetUserName, InitiatingProcessAccountName, PermissionsChanged

1. Detect Unusual File Access by Trusted Accounts

   Purpose: Identify unusual file access by trusted accounts.

DeviceFileEvents | where InitiatingProcessAccountName in ("trusted_account_list") and FolderPath in ("sensitive_directories_list") | summarize count() by InitiatingProcessAccountName, DeviceName, FolderPath

1. Monitor for Network Connections from Trusted Vendors

   Purpose: Detect network connections originating from vendor networks.

DeviceNetworkEvents | where RemoteIP in ("vendor_ip_range") | summarize count() by RemoteIP, LocalIP

1. Identify Changes to Firewall Rules by Trusted Accounts

   Purpose: Monitor changes to firewall rules by trusted accounts.

DeviceRegistryEvents | where RegistryKey has "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy" | where InitiatingProcessAccountName in ("trusted_account_list") | project Timestamp, DeviceName, RegistryKey, RegistryValueName

1. Detect Installation of Software by Trusted Accounts

   Purpose: Identify software installation by trusted accounts.

DeviceProcessEvents | where ProcessCommandLine has_any ("install.exe", "setup.exe") and InitiatingProcessAccountName in ("trusted_account_list") | project Timestamp, DeviceName, ProcessCommandLine

1. Monitor for Changes to Network Configurations by Trusted Accounts

   Purpose: Detect changes to network configurations by trusted accounts.

DeviceRegistryEvents | where RegistryKey has "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" | where InitiatingProcessAccountName in ("trusted_account_list") | project Timestamp, DeviceName, RegistryKey, RegistryValueName

1. Identify Unusual Email Activity from Trusted Accounts

   Purpose: Monitor for unusual email activity from trusted domains.

DeviceEmailEvents | where SenderAddress in ("trusted_email_domains") | summarize count() by SenderAddress, RecipientAddress

5. T1133 - External Remote Services

Objective: Detect unauthorised access via external remote services such as VPNs, RDP, or other remote access tools.

1. Detect RDP Logins from Unfamiliar IPs

   Purpose: Identify RDP logins from unfamiliar IP addresses.

IdentityLogonEvents | where LogonType == "RemoteInteractive" and IPAddress not in ("known_good_ips") | summarize count() by TargetUserName, IPAddress

1. Monitor VPN Connections from Unusual Locations

   Purpose: Detect VPN connections from unusual locations.

DeviceNetworkEvents | where RemotePort == 443 and RemoteIP not in ("trusted_ip_ranges") | summarize count() by RemoteIP, LocalIP

1. Identify SSH Logins from External Sources

   Purpose: Monitor SSH logins from external IP addresses.

IdentityLogonEvents | where LogonType == "SSH" and IPAddress not in ("internal_ip_range") | summarize count() by TargetUserName, IPAddress

1. Monitor for Remote Desktop Gateway Access

   Purpose: Identify access to Remote Desktop Gateways.

IdentityLogonEvents | where LogonType == "RemoteInteractive" and DeviceName contains "RDGateway" | summarize count() by TargetUserName, DeviceName, IPAddress

1. Detect Multiple Failed Remote Login Attempts

   Purpose: Identify multiple failed remote login attempts.

IdentityLogonEvents | where LogonType == "RemoteInteractive" and LogonResult == "Failed" | summarize count() by TargetUserName, IPAddress | where count() > 5

1. Monitor for RDP Connections Outside Business Hours

   Purpose: Detect RDP connections outside normal working hours.

IdentityLogonEvents | where LogonType == "RemoteInteractive" and (hour(LogonTime) < 6 or hour(LogonTime) > 18) | summarize count() by TargetUserName, IPAddress

1. Detect Use of Remote Access Tools

   Purpose: Identify the use of remote access tools.

DeviceProcessEvents | where ProcessCommandLine has_any ("teamviewer.exe", "anydesk.exe", "vncviewer.exe") | project Timestamp, DeviceName, ProcessCommandLine

1. Identify VPN Logins from Multiple Geolocations

   Purpose: Monitor VPN logins from multiple geolocations.

IdentityLogonEvents | where LogonType == "VPN" | summarize locations=make_set(IPAddressCountry) by TargetUserName | where array_length(locations) > 1

1. Monitor for External Access to Administrative Accounts

   Purpose: Detect remote access to administrative accounts.

IdentityLogonEvents | where AccountType == "Privileged" and LogonType == "RemoteInteractive" | summarize count() by TargetUserName, IPAddress

1. Detect VPN Access from Blacklisted Countries

   Purpose: Identify VPN access attempts from blacklisted countries.

IdentityLogonEvents | where LogonType == "VPN" and IPAddressCountry in ("blacklisted_countries_list") | summarize count() by TargetUserName, IPAddress

6. T1078.004 - Cloud Accounts

Objective: Detect unauthorised access using compromised cloud accounts.

1. Monitor Cloud Logins from Unusual Locations

   Purpose: Detect cloud account access from unexpected countries.

IdentityLogonEvents | where AccountType == "Cloud" and IPAddressCountry != "United States" // Adjust based on your primary country | summarize count() by TargetUserName, IPAddressCountry

1. Detect Multiple Cloud Logins from Different Locations

   Purpose: Identify users logging in from multiple locations in a short period.

IdentityLogonEvents | where AccountType == "Cloud" | summarize locations=make_set(IPAddressCountry) by TargetUserName | where array_length(locations) > 1

1. Monitor for Cloud Account Logins During Off-Hours

   Purpose: Detect cloud account logins outside normal working hours.

IdentityLogonEvents | where AccountType == "Cloud" and (hour(LogonTime) < 6 or hour(LogonTime) > 18) | summarize count() by TargetUserName, IPAddress

1. Identify Failed Cloud Login Attempts

   Purpose: Monitor for failed cloud login attempts.

IdentityLogonEvents | where AccountType == "Cloud" and LogonResult == "Failed" | summarize count() by TargetUserName, IPAddress

1. Detect Use of Cloud Admin Accounts

   Purpose: Identify logins using cloud admin accounts.

IdentityLogonEvents | where AccountType == "Cloud" and TargetUserName contains "admin" | summarize count() by TargetUserName, IPAddress

1. Monitor for Cloud Account Privilege Escalation

   Purpose: Detect unauthorised privilege escalations in cloud accounts.

IdentityDirectoryEvents | where ActionType == "Add member to role" and AccountType == "Cloud" | project Timestamp, TargetUserName, InitiatingProcessAccountName, RoleName

1. Detect Cloud Account Logins from Unrecognised Devices

   Purpose: Monitor for logins from unrecognised devices.

IdentityLogonEvents | where AccountType == "Cloud" and DeviceName !in ("known_devices_list") | summarize count() by TargetUserName, DeviceName

1. Monitor for Cloud Account Logins via Unusual Methods

   Purpose: Detect cloud account logins using unusual methods.

IdentityLogonEvents | where AccountType == "Cloud" and LogonType not in ("Web", "MobileApp") | summarize count() by TargetUserName, LogonType

1. Identify Suspicious Cloud Account Activity

   Purpose: Monitor OAuth2 logins for suspicious activity.

IdentityLogonEvents | where AccountType == "Cloud" and LogonType == "OAuth2" | summarize count() by TargetUserName, DeviceName, LogonTime

1. Detect Unauthorised Cloud API Calls

   Purpose: Identify unauthorised API calls made using cloud accounts.

IdentityAPIEvents | where AccountType == "Cloud" and APIType == "Unauthorized" | project Timestamp, TargetUserName, APIEndpoint, ResponseCode

7. T1566 - Phishing

Objective: Detect phishing attempts aimed at gaining unauthorised access to systems or credentials.

1. Monitor for Emails Containing Suspicious Attachments

   Purpose: Identify emails with suspicious attachments that may be phishing attempts.

DeviceEmailEvents | where EmailSubject contains "Invoice" or EmailAttachmentFileName endswith ".exe" or EmailAttachmentFileName endswith ".js" | project Timestamp, EmailSenderAddress, EmailSubject, EmailAttachmentFileName

1. Detect Emails from Unfamiliar Domains

   Purpose: Monitor for emails originating from unfamiliar domains.

DeviceEmailEvents | where SenderDomain not in ("known_domains_list") | project Timestamp, EmailSenderAddress, EmailSubject

1. Identify Multiple Failed Login Attempts Following Phishing Emails

   Purpose: Detect multiple failed login attempts after a phishing campaign.

IdentityLogonEvents | where LogonResult == "Failed" | where Timestamp between (startofday(now()) - 1d) and (startofday(now())) | summarize count() by TargetUserName, DeviceName

4. Monitor for Credential Harvesting Attempts

Purpose: Identify potential credential harvesting attempts.

DeviceNetworkEvents | where RemotePort == 443 and URL contains "login" and ResponseCode == 302 | project Timestamp, RemoteIP, URL

1. Detect Email Links Leading to Malicious Sites

   Purpose: Monitor emails with links that could lead to malicious websites.

DeviceEmailEvents | where EmailBody contains "http://" or EmailBody contains "https://" | project Timestamp, EmailSenderAddress, EmailSubject, EmailBody

1. Identify Unusual Email Forwarding Rules

   Purpose: Detect unauthorised email forwarding rules that may indicate a phishing attack.

IdentityEmailEvents | where ActionType == "SetForwardingRule" | project Timestamp, TargetUserName, EmailForwardingRule

1. Monitor for Phishing Emails Spoofing Trusted Domains

   Purpose: Identify phishing emails spoofing trusted domains.

DeviceEmailEvents | where SenderDomain == "trusted_domain" and SenderAddress not in ("trusted_emails_list") | project Timestamp, EmailSenderAddress, EmailSubject

1. Detect Suspicious Email Activity After Clicking Phishing Links

   Purpose: Monitor for suspicious email activity following phishing attempts.

DeviceEmailEvents | where EmailSubject contains "Urgent" or EmailBody contains "click here" | project Timestamp, EmailSenderAddress, EmailSubject

1. Identify Emails Containing Suspicious Macros

   Purpose: Detect emails with attachments containing macros that may be used for phishing.

DeviceEmailEvents | where EmailAttachmentFileName endswith ".docm" or EmailAttachmentFileName endswith ".xlsm" | project Timestamp, EmailSenderAddress, EmailSubject, EmailAttachmentFileName

1. Monitor for Executable Files Sent via Email

   Purpose: Identify emails containing executable files that could be part of a phishing attack.

DeviceEmailEvents | where EmailAttachmentFileName endswith ".exe" or EmailAttachmentFileName endswith ".bat" | project Timestamp, EmailSenderAddress, EmailSubject, EmailAttachmentFileName