初始入口
攻击者正试图进入您的网络。
初始访问包括使用各种入口向量在网络中获得初始立足点的技术。用于站稳脚跟的技术包括有针对性的鱼叉式网络钓鱼和利用面向公众的 Web 服务器上的弱点。通过初始访问获得的立足点可能允许继续访问,例如有效帐户和使用外部远程服务,或者可能由于更改密码而受到限制使用。
技术: 9
| 编号 | 名字 | 描述 | |
|---|---|---|---|
| T1189 | 偷渡式妥协 | 攻击者可以通过用户在正常浏览过程中访问网站来访问系统。使用此技术,用户的 Web 浏览器通常成为攻击目标,但攻击者也可能使用受感染的网站进行非利用行为,例如获取应用程序访问令牌。 | |
| T1190 | 利用面向公众的应用程序 | 攻击者可能会尝试利用面向 Internet 的主机或系统中的弱点来初始访问网络。系统中的弱点可能是软件错误、临时故障或配置错误。 | |
| T1133 | 外部远程服务 | 攻击者可能会利用面向外部的远程服务来最初访问和/或保留在网络中。远程服务(如 VPN、Citrix 和其他访问机制)允许用户从外部位置连接到内部企业网络资源。通常有远程服务网关来管理这些服务的连接和凭据身份验证。Windows远程管理和VNC等服务也可以在外部使用。 | |
| T1200 | 硬件添加 | 攻击者可能会将计算机配件、网络硬件或其他计算设备引入系统或网络中,这些设备可用作获取访问权限的载体。不仅仅是通过可移动存储连接和分发有效负载(即通过可移动媒体复制),更强大的硬件添加可用于将新功能和/或特性引入系统,然后可能会被滥用。 | |
| T1566 | 网络钓鱼 | 攻击者可能会发送网络钓鱼消息以访问受害系统。所有形式的网络钓鱼都是以电子方式提供的社交工程。网络钓鱼可以成为目标,称为鱼叉式网络钓鱼。在鱼叉式网络钓鱼中,特定的个人、公司或行业将成为攻击者的目标。更一般地说,攻击者可以执行非定向网络钓鱼,例如在大规模恶意软件垃圾邮件活动中。 | |
| .001 | 鱼叉式网络钓鱼附件 | 攻击者可能会发送带有恶意附件的鱼叉式网络钓鱼电子邮件,以试图访问受害系统。鱼叉式网络钓鱼附件是鱼叉式网络钓鱼的一种特定变体。鱼叉式网络钓鱼附件与其他形式的鱼叉式网络钓鱼不同,因为它使用附加到电子邮件的恶意软件。所有形式的鱼叉式网络钓鱼都是针对特定个人、公司或行业的电子社会工程。在这种情况下,攻击者将文件附加到鱼叉式网络钓鱼电子邮件,并且通常依靠用户执行来获得执行。鱼叉式网络钓鱼还可能涉及社会工程技术,例如伪装成受信任的来源。 | |
| .002 | 鱼叉式网络钓鱼链接 | 攻击者可能会发送带有恶意链接的鱼叉式网络钓鱼电子邮件,以试图访问受害者系统。带有链接的鱼叉式网络钓鱼是鱼叉式网络钓鱼的一种特定变体。它与其他形式的鱼叉式网络钓鱼的不同之处在于,它使用链接来下载电子邮件中包含的恶意软件,而不是将恶意文件附加到电子邮件本身,以避免可能检查电子邮件附件的防御措施。鱼叉式网络钓鱼还可能涉及社会工程技术,例如伪装成受信任的来源。 | |
| .003 | 通过服务进行鱼叉式网络钓鱼 | 攻击者可能会通过第三方服务发送鱼叉式网络钓鱼消息,以试图访问受害者系统。通过服务进行的鱼叉式网络钓鱼是鱼叉式网络钓鱼的一种特定变体。它与其他形式的鱼叉式网络钓鱼的不同之处在于,它使用第三方服务,而不是直接通过企业电子邮件渠道。 | |
| T1091 | 通过可移动媒体进行复制 | 攻击者可能会通过将恶意软件复制到可移动媒体并在媒体插入系统并执行时利用自动运行功能来移动到系统(可能是断开连接或气隙网络中的系统)。在横向移动的情况下,这可能是通过修改存储在可移动媒体上的可执行文件或通过复制恶意软件并将其重命名为合法文件来诱骗用户在单独的系统上执行它来实现的。在初始访问的情况下,这可能是通过手动操作介质、修改用于初始格式化介质的系统或修改介质固件本身来实现的。 | |
| T1195 | 供应链妥协 | 攻击者可能会在最终消费者收到产品或产品交付机制之前操纵产品或产品交付机制,以达到数据或系统破坏的目的。 | |
| .001 | 破坏软件依赖关系和开发工具 | 攻击者可能会在最终消费者收到软件依赖项和开发工具之前操纵软件依赖项和开发工具,以达到数据或系统泄露的目的。应用程序通常依赖于外部软件才能正常运行。在许多应用程序中用作依赖项的流行开源项目可能被定位为向依赖项用户添加恶意代码的一种手段。 | |
| .002 | 妥协软件供应链 | 攻击者可能会在最终消费者收到应用程序软件之前操纵应用程序软件,以达到数据或系统破坏的目的。软件的供应链妥协可以通过多种方式进行,包括操作应用程序源代码、操作该软件的更新/分发机制,或用修改后的版本替换编译的版本。 | |
| .003 | 妥协硬件供应链 | 攻击者可能会在最终消费者收到产品之前操纵产品中的硬件组件,以达到数据或系统泄露的目的。通过修改供应链中的硬件或固件,攻击者可以将后门插入可能难以检测的消费者网络,并使对手对系统具有高度的控制。硬件后门可以插入到各种设备中,例如服务器、工作站、网络基础结构或外围设备。 | |
| T1199 | 信任关系 | 攻击者可能会破坏或以其他方式利用有权接触预期受害者的组织。通过受信任的第三方关系进行的访问滥用了可能不受保护或受到的审查少于获得网络访问的标准机制的现有连接。 | |
| T1078 | 有效帐户 | 攻击者可能会获取和滥用现有帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。泄露的凭据可用于绕过对网络中系统上各种资源的访问控制,甚至可用于对远程系统和外部可用服务(如 VPN、Outlook Web 访问、网络设备和远程桌面)的持久访问。泄露的凭据还可能授予攻击者对特定系统或访问网络受限区域的更多权限。攻击者可以选择不将恶意软件或工具与这些凭据提供的合法访问权限结合使用,以使其更难检测到它们的存在。 | |
| .001 | 默认帐户 | 攻击者可能会获取和滥用默认帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。默认帐户是内置于操作系统中的帐户,例如 Windows 系统上的来宾或管理员帐户。默认账户还包括其他类型的系统、软件或设备上的默认工厂/提供商集账户,包括 AWS 中的根用户账户和 Kubernetes 中的默认服务账户。 | |
| .002 | 域帐户 | 攻击者可能会获取和滥用域帐户的凭据,作为获取初始访问权限、持久性、权限提升或防御规避的一种手段。域帐户是由 Active Directory 域服务管理的帐户,其中访问和权限是在属于该域的系统和服务之间配置的。域帐户可以涵盖用户、管理员和服务。 | |
| .003 | 本地帐户 | 攻击者可能会获取和滥用本地帐户的凭据,作为获取初始访问、持久性、权限提升或防御规避的一种手段。本地帐户是由组织配置的帐户,供用户、远程支持、服务使用或在单个系统或服务上进行管理。 | |
| .004 | 云帐户 | 攻击者可能会获取和滥用云帐户的凭据,作为获取初始访问、持久性、权限提升或防御规避的一种手段。云帐户是由组织创建和配置的帐户,供用户、远程支持、服务使用,或用于管理云服务提供商或 SaaS 应用程序中的资源。在某些情况下,云帐户可能与传统的身份管理系统(如 Windows Active Directory)联合。 |
The adversary is trying to get into your network.
Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
Techniques: 9
| ID | Name | Description | |
|---|---|---|---|
| T1189 | Drive-by Compromise | Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring Application Access Token. | |
| T1190 | Exploit Public-Facing Application | Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration. | |
| T1133 | External Remote Services | Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally. | |
| T1200 | Hardware Additions | Adversaries may introduce computer accessories, networking hardware, or other computing devices into a system or network that can be used as a vector to gain access. Rather than just connecting and distributing payloads via removable storage (i.e. Replication Through Removable Media), more robust hardware additions can be used to introduce new functionalities and/or features into a system that can then be abused. | |
| T1566 | Phishing | Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. | |
| .001 | Spearphishing Attachment | Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. | |
| .002 | Spearphishing Link | Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source. | |
| .003 | Spearphishing via Service | Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. | |
| T1091 | Replication Through Removable Media | Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself. | |
| T1195 | Supply Chain Compromise | Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. | |
| .001 | Compromise Software Dependencies and Development Tools | Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. | |
| .002 | Compromise Software Supply Chain | Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version. | |
| .003 | Compromise Hardware Supply Chain | Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals. | |
| T1199 | Trusted Relationship | Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. | |
| T1078 | Valid Accounts | Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. | |
| .001 | Default Accounts | Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes. | |
| .002 | Domain Accounts | Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services. | |
| .003 | Local Accounts | Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. | |
| .004 | Cloud Accounts | Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management systems, such as Windows Active Directory. |