Initial Access

The adversary is trying to get into your network.

Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.

Techniques

Techniques: 5
ID Name Description
VT0003 Exploit Public-Facing Application Adversaries may attempt to take advantage of a weakness or a vulnerability in an Internet-facing application to cause unintended or unanticipated behavior and execute arbitrary code on the hosting machine. The weakness in the system can be a bug, a glitch, or a design vulnerability.
VT0002 External Remote Services External-facing remote services such as SSH, VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries may leverage such remote services to initially access and persist within a network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.
VT0004 Supply Chain Compromise Adversaries may manipulate products or product delivery mechanisms prior to receipt by the end user to achieve data or system compromise.
.001 Compromise Software Dependencies and Development Tools Adversaries may target software dependencies and development tools by manipulating libraries, open source (OS) package manager repositories, container images and repositories, and others before they reach to the end user in order to cause data or system compromise.
.002 Compromise Software Supply Chain Adversaries may manipulate application software prior to receipt by the end user for the purpose of data or system compromise. Supply Chain Compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.
.003 Compromise Hardware Supply Chain Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.
VT0010 Trusted Relationship Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
VT0005 Valid Accounts Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
.001 Default Accounts Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.

Attachments

ID
VTA0001
MITRE ID

Created: 26 November 2020

Last Modified: 26 November 2020