IR AnalystSwitch roles in the top navigation to see different perspectives.

Confirm the initial access technique using MITRE ATT&CK mapping. Validate whether the suspected vector (phishing, exploit, credential stuffing, etc.) is supported by forensic evidence on patient zero.

Actions

  1. 1.On patient zero, parse Outlook OST/PST for the phishing email and extract attachment hashes. Use `oletools` to analyze macros: `olevba -a malicious.docm | tee olevba_output.txt`.
  2. 2.For web-app compromise, review IIS/Apache/Nginx access logs around T-start: look for exploit patterns (path traversal, SQLi, deserialization payloads) targeting the specific CVE.
  3. 3.Check for credential-based access: query Azure AD sign-in logs for impossible travel, legacy auth protocols, or sign-ins from anonymizing infrastructure (Tor, VPN providers).
  4. 4.Validate the hypothesis with EDR process tree analysis: on patient zero, trace the initial execution chain from the parent process (outlook.exe, w3wp.exe, sshd) to the first malicious child process.
  5. 5.Cross-reference the access vector with threat intelligence: does the TTP match a known threat actor or campaign targeting your sector?

Queries

SigninLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where UserPrincipalName == "[email protected]" | where ResultType == 0 | project TimeGenerated, IPAddress, Location, ClientAppUsed, DeviceDetail, ConditionalAccessStatus | order by TimeGenerated asc
DeviceProcessEvents | where DeviceName == "PATIENT_ZERO" | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where InitiatingProcessFileName in~ ("outlook.exe","winword.exe","excel.exe","powerpnt.exe","w3wp.exe","httpd","nginx") | project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp asc
index=web sourcetype=iis OR sourcetype=apache host=PATIENT_ZERO_SERVER | rex field=uri_path "(?<exploit_pattern>\.\.\/|union\s+select|java\.lang\.Runtime|__import__|eval\()" | search exploit_pattern=* | stats count by src_ip, uri_path, status, exploit_pattern | sort -count

Notes

  • Map the confirmed access vector to the MITRE ATT&CK Initial Access tactic (T1566, T1190, T1078, T1133, etc.) for consistent reporting and threat intel correlation.
  • If the access vector cannot be confirmed with available evidence, document this as a gap and flag it for further collection.

Common Blockers

M365/Azure Logs Past Retention Period

Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.

Unknown Scope of Credential Compromise

One or more accounts are confirmed compromised, but it is unclear how many additional credentials the attacker has obtained. Resetting only known-compromised accounts may be insufficient, while a mass reset disrupts operations.

Attacker Using VPN/Tor -- Cannot Determine True Origin

The threat actor is connecting through VPN services, Tor exit nodes, or residential proxy networks. Source IP addresses rotate frequently and do not reveal the actual origin, limiting geographic attribution and IP-based blocking.

Suspected Insider Still Has Access -- Investigation Must Be Covert

The primary suspect is a current employee or contractor who still has active credentials and system access. Overt containment actions (account lockout, visible monitoring) would tip off the suspect and risk evidence destruction or acceleration of harmful activity.