Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a network. Techniques used to gain a foothold include targeted spearphishing and exploiting weaknesses on public-facing web servers. Footholds gained through initial access may allow for continued access, like valid accounts and use of external remote services, or may be limited-use due to changing passwords.
Tactic Overview
Tactic ID: TA0001 — Matrix: Enterprise — Techniques: 11
The Initial Access tactic represents a phase in the adversary lifecycle where the adversary is trying to get into your network. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 11 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (11)
The following techniques are categorized under the Initial Access tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1659 | Content Injection | Adversaries inject malicious content into legitimate web traffic or communications to gain initial access to victim systems. | T1659 |
T1189 | Drive-by Compromise | Adversaries compromise websites visited by targets to deliver exploits or malicious content through the user's browser. | T1189 |
T1190 | Exploit Public-Facing Application | Adversaries exploit vulnerabilities in internet-facing applications such as web servers, Exchange, VPNs, and firewalls. Used extensively by APT28, APT29, APT41, Volt Typhoon, and HAFNIUM targeting Exchange, Citrix, Fortinet, and Pulse Secure. | T1190 |
T1133 | External Remote Services | Adversaries leverage external-facing remote services like VPNs, Citrix, and RDP to initially access and persist within a network. | T1133 |
T1200 | Hardware Additions | Adversaries introduce rogue hardware devices such as network implants, USB devices, or wireless access points to gain access. | T1200 |
T1566 | Phishing (4 sub-techniques) | Adversaries send social engineering messages with malicious attachments or links to gain access. Sub-techniques include spearphishing attachment, link, via service, and voice. | T1566 |
T1091 | Replication Through Removable Media | Adversaries move onto systems by copying malware to removable media like USB drives that are then inserted into air-gapped or disconnected networks. | T1091 |
T1195 | Supply Chain Compromise (3 sub-techniques) | Adversaries manipulate products or delivery mechanisms before receipt by the end consumer, compromising software dependencies, supply chains, or hardware. | T1195 |
T1199 | Trusted Relationship | Adversaries breach organizations through trusted third-party relationships such as MSPs, contractors, or business partners with network access. | T1199 |
T1078 | Valid Accounts (4 sub-techniques) | Adversaries obtain and abuse credentials of existing accounts for initial access, persistence, and privilege escalation. Extensively used by APT28, APT29, Lazarus Group, Volt Typhoon, and ransomware groups like Akira and BlackByte. | T1078 |
T1669 | Wi-Fi Networks | Adversaries exploit wireless networks to gain initial access to target environments through proximity-based attacks. | T1669 |
Key Technique Deep Dives
The following techniques are among the most commonly observed in real-world attacks within this tactic:
Real-World Usage
- APT28: Exploited CVE-2020-0688 and CVE-2020-17144 in Microsoft Exchange; SQL injection against external websites
- APT29: Exploited Citrix (CVE-2019-19781), Pulse Secure VPNs (CVE-2019-11510), FortiGate VPNs (CVE-2018-13379), Zimbra (CVE-2019-9670)
- APT41: Exploited Zoho ManageEngine (CVE-2020-10189), Citrix ADC, ProxyLogon, SQL injection
- HAFNIUM: Exploited multiple Exchange Server vulnerabilities; targeted Log4j
- Volt Typhoon: Exploited Fortinet, Ivanti (Pulse Secure), NETGEAR, Citrix, and Cisco vulnerabilities
- Salt Typhoon: Exploited CVE-2018-0171 in Cisco IOS Smart Install
- Sandworm: Exploited EXIM mail transfer agent in Linux systems
Key Mitigations
- M1051 - Update Software: Regular patch management for externally exposed applications
- M1050 - Exploit Protection: Deploy WAFs to limit application exposure
- M1030 - Network Segmentation: Isolate externally facing servers via DMZ
- M1016 - Vulnerability Scanning: Regular scanning of externally facing systems
Real-World Usage
- Kimsuky: Spearphishing for initial access and intelligence gathering
- APT29: Sophisticated spearphishing campaigns with malicious attachments
- GOLD SOUTHFIELD: Malicious spam campaigns for system access
- INC Ransom: Phishing including callback phishing tactics
Key Mitigations
- M1049 - Antivirus/Antimalware: Quarantine suspicious files automatically
- M1054 - Software Configuration: Deploy SPF, DKIM, DMARC for anti-spoofing
- M1017 - User Training: Educate users on identifying social engineering
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Network segmentation
- Multi-factor authentication
- Email filtering and sandboxing
- Patch management for public-facing applications
- VPN and zero-trust architecture
Detection Strategies
Effective detection of Initial Access techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Initial Access tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Initial Access Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026