Validate the Initial Access Vector
Confirm the initial access technique using MITRE ATT&CK mapping. Validate whether the suspected vector (phishing, exploit, credential stuffing, etc.) is supported by forensic evidence on patient zero.
Actions
- 1
On patient zero, parse Outlook OST/PST for the phishing email and extract attachment hashes. Use `oletools` to analyze macros: `olevba -a malicious.docm | tee olevba_output.txt`.
- 2
For web-app compromise, review IIS/Apache/Nginx access logs around T-start: look for exploit patterns (path traversal, SQLi, deserialization payloads) targeting the specific CVE.
- 3
Check for credential-based access: query Azure AD sign-in logs for impossible travel, legacy auth protocols, or sign-ins from anonymizing infrastructure (Tor, VPN providers).
- 4
Validate the hypothesis with EDR process tree analysis: on patient zero, trace the initial execution chain from the parent process (outlook.exe, w3wp.exe, sshd) to the first malicious child process.
- 5
Cross-reference the access vector with threat intelligence: does the TTP match a known threat actor or campaign targeting your sector?
- 6
For macro-based initial access, check Office MRU (Most Recently Used) keys in `NTUSER.DAT\Software\Microsoft\Office\<version>\<app>\File MRU` and examine Office Trust Records for macro-enabled docs. Parse with `RECmd.exe -f NTUSER.DAT --bn BatchExamples\Office_MRU.reb --csv .`.
- 7
Examine Zone.Identifier alternate data streams on suspected payload files to confirm web/email download origin: `Get-Content -Path "suspicious_file" -Stream Zone.Identifier`. Zone ID 3 (Internet) or 4 (Restricted) confirms the file arrived via browser or email attachment.
Queries
SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where UserPrincipalName == "[email protected]" | where ResultType == 0 | project TimeGenerated, IPAddress, Location, ClientAppUsed, DeviceDetail, ConditionalAccessStatus | order by TimeGenerated asc
DeviceProcessEvents | where DeviceName == "PATIENT_ZERO" | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where InitiatingProcessFileName in~ ("outlook.exe","winword.exe","excel.exe","powerpnt.exe","w3wp.exe","httpd","nginx") | project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp ascindex=web sourcetype=iis OR sourcetype=apache host=PATIENT_ZERO_SERVER | rex field=uri_path "(?<exploit_pattern>\.\.\/|union\s+select|java\.lang\.Runtime|__import__|eval\()" | search exploit_pattern=* | stats count by src_ip, uri_path, status, exploit_pattern | sort -count
index=azure sourcetype=azure:aad:signin user="[email protected]" status.errorCode=0 earliest=T_START latest=T_END | stats count by src_ip, appDisplayName, clientAppUsed, deviceDetail.operatingSystem | sort -count
Notes
Map the confirmed access vector to the MITRE ATT&CK Initial Access tactic (T1566, T1190, T1078, T1133, etc.) for consistent reporting and threat intel correlation.
If the access vector cannot be confirmed with available evidence, document this as a gap and flag it for further collection.
For suspected exploitation-based access, check Windows Error Reporting (WER) logs at `C:\ProgramData\Microsoft\Windows\WER\` and Application event log EID 1000/1001 for crashes of exploited services (w3wp.exe, httpd, sshd) around T-start. Process crashes often precede successful exploitation.