3- Initial Access

Question 1

3- Initial Access

TA0001

9 techniques

Answer 1

1- Drive-by Compromise
2- Exploit Public-Facing Application
3- External Remote Services
4- Hardware Additions
5- Phishing
6- Replication Through Removable Media
7- Supply Chain Compromise
8- Trusted Relationship
9- Valid Accounts

Question 2

3.1- Drive-by Compromise

T1189

Answer 2

Platforms: 
Linux, 
SaaS, 
Windows, 
macOS

Permissions Required: User

Data Sources:
Application Log: Application Log Content,
File: File Creation,
Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content,
Process: Process Creation

M1048 - Application Isolation and Sandboxing
M1050 - Exploit Protection
M1021 - Restrict Web-Based Content
M1051 - Update Software

Question 3

3.2 Exploit Public-Facing Application

T1190

Answer 3

Platforms: 
Containers, 
IaaS, 
Linux, 
Network, 
Windows, 
macOS

Permissions Required: User

Data Sources:
Application Log: Application Log Content,
Network Traffic: Network Traffic Content,

M1048 - Application Isolation and Sandboxing
M1050 - Exploit Protection
M1030 - Network Segmentation
M1026 - Privileged Account Management
M1021 - Restrict Web-Based Content
M1051 - Update Software
M1061 - Vulnerability Scanning

Question 4

3.3 - External Remote Services

T1133

Answer 4

Platforms: Containers, Linux, Windows

Permissions Required: User

Data Sources:
Application Log: Application Log Content,
Logon Session: Logon Session Metadata,
Network Traffic: Network Traffic Flow

CAPEC ID: CAPEC-555

M1042 - Disable or Remove Feature or Program
M1035 - Limit Access to Resource Over Network
M1032 - Multi-factor Authentication
M1030 - Network Segmentation

Question 5

3.4 - Hardware Additions

T1200

Answer 5

Platforms: Linux, Windows, macOS

CAPEC ID: CAPEC-440

M1035 - Limit Access to Resource Over Network
M1034 - Limit Hardware Installation

Question 6

3.5 - Phishing

T1566

Answer 6

1- Spearphishing Attachment
2- Spearphishing Link
3- Spearphishing via Service

Platforms: Google Workspace, Linux, Office 365, SaaS, Windows, macOS

Data Sources:
Application Log: Application Log Content,
Network Traffic: Network Traffic Content,
Network Traffic: Network Traffic Flow

CAPEC ID: CAPEC-98

M1049 - Antivirus/Antimalware
M1031 - Network Intrusion Prevention
M1021 - Restrict Web-based Content
M1054 - Software Configuration
M1017 - User Training

Question 7

3.6 - Replication Through Removable Media

T1091

Answer 7

System Requirements: Removable media allowed, Autorun enabled or vulnerability present that allows for code execution

Permissions Required: User

Data Sources: 
Drive: Drive Creation, 
File: File Access, 
File: File Creation, 
Process: Process Creation

M1042 - Disable or Remove Feature or Program
M1034 - Limit Hardware Installation

Question 8

3.7 - Supply Chain Compromise

T1195

Answer 8

1- Compromise Software Dependencies and Development Tools
2- Compromise Software Supply Chain
3- Compromise Hardware Supply Chain

Platforms: Linux, Windows, macOS
CAPEC ID: CAPEC-437, CAPEC-438, CAPEC-439

Question 9

3.8 - Trusted Relationship

T1199

Answer 9

Platforms: IaaS, Linux, SaaS, Windows, macOS

Data Sources:
Application Log: Application Log Content,
Logon Session: Logon Session Creation,
Logon Session: Logon Session Metadata

Question 10

3.9 - Valid Accounts

T1078

Answer 10

1- Default Accounts
2- Domain Accounts
3- Local Accounts
4- Cloud Accounts

Platforms: Azure AD, Containers, Google Workspace, IaaS, Linux, Office 365, SaaS, Windows, macOS

Permissions Required: Administrator, User
Effective Permissions: Administrator, User
Data Sources: Logon Session: Logon Session Creation, User Account: User Account Authentication

Defense Bypassed: Anti-virus, Application control, Firewall, Host intrusion prevention systems, Network intrusion detection system, System access controls

CAPEC ID: CAPEC-560

M1013 - Application Developer Guidance
M1027 - Password Policies
M1026 - Privileged Account Management