The adversary is trying to get into your network.
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
|VT0003||Exploit Public-Facing Application||Adversaries may attempt to take advantage of a weakness or a vulnerability in an Internet-facing application to cause unintended or unanticipated behavior and execute arbitrary code on the hosting machine. The weakness in the system can be a bug, a glitch, or a design vulnerability.|
|VT0002||External Remote Services||External-facing remote services such as SSH, VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. Adversaries may leverage such remote services to initially access and persist within a network. Access to remote services may be used as a redundant or persistent access mechanism during an operation.|
|VT0004||Supply Chain Compromise||Adversaries may manipulate products or product delivery mechanisms prior to receipt by the end user to achieve data or system compromise.|
|.001||Compromise Software Dependencies and Development Tools||Adversaries may target software dependencies and development tools by manipulating libraries, open source (OS) package manager repositories, container images and repositories, and others before they reach to the end user in order to cause data or system compromise.|
|.002||Compromise Software Supply Chain||Adversaries may manipulate application software prior to receipt by the end user for the purpose of data or system compromise. Supply Chain Compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.|
|.003||Compromise Hardware Supply Chain||Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.|
|VT0010||Trusted Relationship||Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.|
|VT0005||Valid Accounts||Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.|
|.001||Default Accounts||Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.|
Created: 26 November 2020
Last Modified: 26 November 2020