Initial Access 🔓

Goal: The attacker gains initial access to the target system.
Initial Access Techniques
- 📥 Content Injection
- 🌐 Exploit Public-Facing Application
- 🛠 Hardware Additions
- 💾 Replication Through Removable Media
- 🤝 Trusted Relationship
- 🚗 Drive-by Compromise
- 🌍 External Remote Services
- 🎣 Phishing
- 🔗 Supply Chain Compromise
- 🔑 Valid Accounts

Exploit Public-Facing Application

Initial access is performed by exploiting vulnerabilities in various applications.
In the initial access stage, vulnerabilities in network-related programs are primarily exploited.
Applications using network communication protocols such as SQL, SSH, and SNMP are commonly targeted.

External Remote Services

If necessary, remote access is performed, including remote connection account credentials, to infiltrate the network.
Infiltration may be carried out using built-in applications such as Windows Remote Desktop or dedicated VPNs.

Hardware Additions

Various types of devices, such as network equipment, laptops, mobile phones, and tablets, are connected to the target's network for infiltration.
The DarkVishnya attack group infiltrated by connecting a Raspberry Pi device to the target's local network.
Unsecured and strong-signal Wi-Fi networks are accessed externally to gain entry.

Replication Through Removable Media

Malicious code is installed on a USB device and executed using the Autorun feature when the USB is connected.
Attackers may intentionally drop USB devices around the target building to lure victims into plugging them in.
While Autorun is often disabled on modern PCs, it remains effective on IoT and similar device types.

Phishing

Exploiting various services to deliver malware
Sending malicious attachments
Sending phishing links
Conducting phishing calls to instruct malware installation

Supply Chain Compromise

Source code repositories
Open-source code
System images
Deployment software

Trusted Relationship

If the target has strong cybersecurity defenses, attackers may infiltrate secondary or tertiary partner organizations with weaker security.
Exploiting looser security measures in partner organizations to gain access to the target network.

Valid Accounts

Infiltrating the Target Network Using Valid Account Credentials

Service Accounts and Other Account Types:
- Default Accounts: Built-in OS accounts such as Windows Guest, Administrator, as well as AWS Root Account, Kubernetes default accounts, etc.
- Domain Accounts: Extracting Active Directory credentials from OS memory or cache.
- Local Accounts: Retrieving local account credentials from OS memory or cache.
- Cloud Accounts: Brute-force attacks, phishing, and other techniques to steal cloud account credentials.
- Expanding Attacks from Cloud to On-Premises: Infecting deployment tools in SaaS-based software to spread attacks from cloud environments to on-premises systems.

More etc

What is OS Memory?

OS memory refers to the RAM (Random Access Memory) used by an operating system (OS) while running. The OS utilizes memory for program execution, process management, and storing system data.
📌 Why Attackers Target OS Memory

While the OS is running, user credentials, session data, encryption keys, security tokens, and other sensitive information may be stored in memory. Attackers exploit this to gain control over the system.

🔹 Common Techniques for Extracting Credentials from OS Memory

1️⃣ LSASS Dumping (Windows)
- The LSASS (Local Security Authority Subsystem Service) process in Windows stores Active Directory (AD) and local authentication credentials.
- Attackers use tools like Mimikatz to dump LSASS memory and extract password hashes.
- These hashes can be used in Pass-the-Hash (PtH) attacks to bypass authentication.

2️⃣ Credential Dumping (Linux & Windows)

Extracting credentials from memory locations such as /proc/mem (Linux) or lsass.exe (Windows).
Tools like ProcDump, Mimikatz, and Volatility help in analyzing memory for credentials.

3️⃣ Kernel Memory Scraping

Retrieving security tokens, encryption keys, and session data from kernel memory.
Direct Memory Access (DMA) attacks allow physical access to OS memory for direct extraction.

4️⃣ Browser Memory Analysis

Extracting login session tokens and cookies stored in browser memory (e.g., Chrome, Firefox).
Malware such as Redline Stealer and Vidar can harvest credentials directly from browser memory.
- 🛡 Defense Strategies (Protecting OS Memory)
✔ Protect LSASS → Enable LSASS protection mode (RunAsPPL setting in Windows).
✔ Prevent Memory Dumping → Use Credential Guard and Secure Boot.
✔ Deploy EDR/XDR Security Solutions → Detect and block memory-based attacks.
✔ Enable Memory Encryption → Use VBS (Virtualization-Based Security) in Windows 10/11.

In summary, attackers target OS memory to steal credentials, session data, and security keys, and strong memory protection and security policies are essential to prevent such attacks! 🚀

What is Credential Guard?

Credential Guard is a Windows security feature that protects login credentials from being stolen by attackers.

It uses Virtualization-Based Security (VBS) to isolate and protect authentication information (passwords, hashes, NTLM tokens, etc.).
Even if an attacker uses credential dumping tools like Mimikatz, they cannot extract credentials from LSASS memory.

📌 In short, enabling Credential Guard prevents attackers from stealing login credentials (hashes, tokens, etc.) from memory!

✅ Attacks it helps prevent:

Pass-the-Hash attacks
Pass-the-Ticket attacks
Kerberos ticket cloning attacks

🛠 How to enable it:

Available on Windows 10/11 Enterprise and Windows Server
Enable Credential Guard via Group Policy
Requires Hyper-V-based VBS (Virtualization-Based Security)

What is Secure Boot?

Secure Boot is a UEFI security feature that prevents malicious code from running during system startup.

It allows only digitally signed and trusted OS and drivers to load during the boot process.
Attackers cannot install rootkits or bootkits because Secure Boot will block unauthorized bootloaders.

📌 In short, enabling Secure Boot prevents attackers from running malware at the boot level!