Initial Access: TA0001

Overview

The Initial Access phase in the MITRE ATT&CK framework refers to how attackers gain an initial foothold in a target environment. In Azure, this often involves abusing identity, exploiting public-facing applications, or leveraging compromised credentials to infiltrate the cloud infrastructure. Below are the core concepts of TA0001.

1. Exploiting Public-Facing Applications

Technique: T1190 - Exploit Public-Facing Application Attackers target vulnerabilities in exposed services to gain unauthorized access.

  • Exploit a vulnerable web app hosted on Azure App Service to upload a malicious web shell and gain control over the backend server.

2. Leveraging Stolen Credentials (Valid Accounts)

Technique: T1078 - Valid Accounts Attackers use compromised or weak credentials to log into systems without triggering alarms.

  • T1078.004 - Cloud Accounts: Use stolen Entra ID tokens to access resources without MFA, such as Key Vault secrets and Blob storage.

3. Phishing for Credentials or Token Hijacking

Technique: T1566 - Phishing Attackers use social engineering to trick users into revealing credentials or approving malicious OAuth apps.

  • T1566.001 - Spearphishing Attachment: Send a malicious Excel file with embedded macros to exfiltrate tokens from a victim’s device.

  • T1566.002 - Spearphishing Link: Direct the target to a malicious OAuth consent page, granting the attacker access to Microsoft 365 resources.

4. Abusing Remote Services

Technique: T1133 - External Remote Services Adversaries gain access by exploiting exposed remote services like RDP, SSH, or Azure Bastion.

  • Use weak or stolen credentials to access a VM to gain a foothold in the environment.

5. Supply Chain Compromise

Technique: T1195 - Supply Chain Compromise Attackers compromise a third-party component to infiltrate the target environment.

  • T1195.002 - Compromise Software Supply Chain: An attacker injects malicious code into a third-party library that is integrated into an Azure DevOps CI/CD pipeline.

6. Abusing Trusted Relationships

Technique: T1199 - Trusted Relationship Attackers exploit inter-organizational trust relationships to gain access to resources.

  • Azure Example: Leverage a misconfigured tenant-to-tenant trust to access sensitive data in another Azure subscription.

7. Exploiting Default or Weak Credentials

Technique: T1078.001 - Default Accounts Attackers target resources configured with default or weak credentials.

  • Azure Example: A newly deployed Azure VM is left with default admin credentials, allowing the attacker to gain access.

8. Using Exploited Hardware or IoT Devices

Technique: T1195.003 - Compromise Hardware Supply Chain Adversaries tamper with hardware to introduce malicious code or backdoors.

  • Azure Example: Attackers compromise firmware in IoT devices connected to Azure IoT Hub, gaining access to the cloud environment.

Summary of Key Concepts with Techniques for TA0001

Key Concept

Technique

Azure Example

Exploiting Public-Facing Applications

T1190 - Exploit Public-Facing Application

Exploit an Azure App Service to upload a web shell

Stolen Credentials (Valid Accounts)

T1078 - Valid Accounts

Use stolen Azure AD tokens to access resources

Phishing and Social Engineering

T1566 - Phishing

Trick user into granting OAuth consent

Abusing Remote Services

T1133 - External Remote Services

Use weak credentials via Azure Bastion to access a VM

Supply Chain Compromise

T1195 - Supply Chain Compromise

Inject malicious code into an Azure DevOps CI/CD pipeline

Trusted Relationship Exploitation

T1199 - Trusted Relationship

Abuse tenant-to-tenant trust to gain access

Exploiting Default Credentials

T1078.001 - Default Accounts

Gain access via default admin credentials on a VM

Compromised Hardware or IoT Devices

T1195.003 - Compromise Hardware Supply Chain

Gain access through compromised IoT firmware connected to Azure IoT Hub

Last updated