Playbooks

T1566, T1190, T1189, T1133

Initial Access Response

A step-by-step playbook for responding to confirmed initial access — phishing-derived access, drive-by downloads, external service compromise, and valid account abuse. Includes triage, containment, forensic collection, and finding the entry point.

View on Graph

What This Playbook Covers

  • This playbook handles confirmed initial access — an attacker has gained a foothold on a system or application. It covers the four most common initial access vectors: phishing (T1566), drive-by compromise (T1189), exploitation of public-facing applications (T1190), and external remote services abuse (T1133).
  • Initial access is the most time-sensitive phase of incident response. If the entry point is not found and closed quickly, the attacker will move laterally (see Lateral Movement Response), establish persistence, and achieve their objectives.
  • MITRE ATT&CK references: T1566 (Phishing — spearphishing attachment, link, and via service), T1190 (Exploit Public-Facing Application), T1189 (Drive-by Compromise), T1133 (External Remote Services VPN/RDP).
  • Parallel playbooks: Phishing Triage (for phishing-specific triage), Suspicious Authentication (for credential-based access), Lateral Movement Response (for when access spreads).

Phase 1: Confirm the Access Vector (0-15 minutes)

The triage objective is to determine how the attacker got in. Each vector produces different detection signals.

Scenario A — Phishing-Derived Access (T1566)

The attacker delivered malware or a credential harvesting page via email.

SignalWhere to CheckConfirmation
User reported phishingTicket queue, email security gatewayUser forwarded a suspicious email
Email gateway alertEmail security appliance logsSPF/DKIM/DMARC failure, known-bad attachment hash, malicious URL
Malware execution from emailEDR or Sysmon — process treeOUTLOOK.EXEwinword.exepowershell.exe — macro execution
Credential harvest page visitedProxy log or DNS logUser visited cloned login page domain after clicking email link

SPL query — find phishing execution chain:

index=windows sourcetype="WinEventLog:Sysmon" EventCode=1
| search ParentImage="*OUTLOOK.EXE" OR ParentImage="*winword.exe" OR ParentImage="*excel.exe" OR ParentImage="*OUTLOOK.EXE"
| where Image IN ("*powershell.exe", "*cmd.exe", "*wscript.exe", "*mshta.exe", "*regsvr32.exe")
| eval alert = "Phishing execution chain — " . Image . " spawned by " . ParentImage . " on " . Computer
| table _time, Computer, ParentImage, Image, CommandLine, User, alert

Scenario B — Drive-By Compromise (T1189)

The attacker compromised a website the user visited, delivering malware via a watering hole or malvertising.

SignalWhere to CheckConfirmation
Browser exploit detectionEDR alert — process injection from browser processBrowser (chrome.exe, firefox.exe, msedge.exe) spawning suspicious child process
Suspicious download from visitProxy log or Sysmon Event ID 11 (monitored with Splunk)File download from a legitimate-looking site that is compromised
User visited known-malicious URLDNS or proxy logUser visited a domain with known watering hole activity
Unexpected browser extensionBrowser management console or registryRogue extension with broad permissions

SPL query — drive-by execution chain:

index=windows sourcetype="WinEventLog:Sysmon" EventCode=1
| search ParentImage="*chrome.exe" OR ParentImage="*firefox.exe" OR ParentImage="*msedge.exe"
| where Image != "*chrome.exe" AND Image != "*firefox.exe" AND Image != "*msedge.exe" AND Image != "*chrd*"
| eval alert = "Browser spawning " . Image . " on " . Computer . " — possible drive-by compromise"
| table _time, Computer, ParentImage, Image, CommandLine, User, alert

Scenario C — Exploited Public-Facing Application (T1190)

The attacker exploited a vulnerability in a web application, VPN gateway, or other internet-facing service.

SignalWhere to CheckConfirmation
WAF alert / IDS signature matchWeb application firewall, IDS/IPSKnown CVE exploitation pattern detected
Unexpected process on web serverEDR on the web serverw3wp.exe or Apache/nginx process spawning a shell or script
Anomalous HTTP requestWeb server logsSQLi, SSRF, RCE probe, path traversal in URL parameters
Service account execute unusual commandEvent ID 4688 — service account launching cmd/powershellWeb application service account is used for command execution

SPL query — web shell / application exploitation:

index=windows sourcetype="WinEventLog:Security" EventCode=4688
| search Computer IN (web_servers_list)
| where NewProcessName IN ("*powershell.exe", "*cmd.exe", "*wscript.exe", "*mshta.exe")
| eval alert = "Web server spawning " . NewProcessName . " — possible WAF bypass or web shell on " . Computer
| table _time, Computer, NewProcessName, CommandLine, SubjectUserName, alert

Scenario D — External Remote Service Abuse (T1133)

The attacker gained access through a VPN, RDP gateway, or other remote access service using valid credentials (stolen or brute-forced).

SignalWhere to CheckConfirmation
VPN login from unusual locationVPN appliance logsUser logged in from a country/IP they have never used before
RDP gateway access from unknown IPRD Gateway logsRemote desktop access from an unexpected IP or time
Password spray detectionEvent ID 4625 across multiple accountsFailed logins for many usernames from a single IP, followed by one success
MFA fatigue notificationsMFA provider logs — repeated push denials then approvalUser accepted MFA after multiple pushes (MFA fatigue attack)

SPL query — impossible travel detection:

index=vpn sourcetype=vpn_auth
| sort user, _time
| streamstats current=true window=2 gap=7200 earliest(_time) as prev_time, earliest(src_ip) as prev_ip by user
| where prev_time != ""
| eval time_diff = _time - prev_time
| eval ip_distance = if(prev_ip != src_ip, 1, 0)
| where time_diff < 3600 AND ip_distance = 1
| eval alert = "IMPOSSIBLE TRAVEL — " . user . " logged in from " . prev_ip . " then " . src_ip . " within " . round(time_diff/60) . " minutes"
| table _time, user, prev_ip, src_ip, time_diff, alert

Phase 2: Immediate Containment (15-30 minutes)

Across All Vectors

  • Isolate the affected host — disable the network interface. Do not shut down.
  • Disable the compromised user account — especially if credentials were used for logon
  • Revoke active sessions — terminate RDP/VPN sessions for the affected user
  • Reset the user’s password — then require MFA re-enrollment

Vector-Specific Containment

Access VectorSpecific Actions
PhishingReport the email domain/IP to email security vendor, add to blocklist. Check if other users received the same email.
Drive-byBlock the compromised domain in DNS/proxy. Check all users who visited the watering hole URL.
Web application exploitPatch the vulnerability, apply WAF virtual patch, take the application offline if critical.
VPN/RDP abuseBlock the attacker’s source IP at the firewall, disable the compromised VPN user, force MFA re-enrollment.

Phase 3: Find the Full Scope (30-60 minutes)

Step 1 — Determine the Time of Initial Access

Pinpoint when the attacker first gained access. This is the most critical question — everything else depends on it.

VectorHow to Find the Time
PhishingUser clicked the link → proxy log timestamp. Or macro execution → Event ID 4688 or Sysmon Event ID 1
Drive-byBrowser history + download timestamp → Sysmon Event ID 11 or proxy log
Web exploitWeb server log — first instance of the exploit request
VPN/RDPVPN appliance log — first successful authentication from the attacker IP

Step 2 — List All Affected Assets

  • Users: Who else received the phishing email? Who shares the same compromised password?
  • Hosts: What hosts did the attacker access? Check for Event ID 4624 with the compromised credentials on other hosts.
  • Credentials: What passwords were in use on the initial host? LSASS memory may have contained domain admin credentials.
  • Services: What service accounts run on the compromised host? Check for service account credential reuse.

Step 3 — Check for Persistence

The attacker likely established persistence before you detected them. Check these artifacts:

Persistence MechanismDetection SignalWhere to Check
Scheduled tasksEvent ID 4698 — scheduled task createdSysmon or Windows Security Log
ServicesEvent ID 7045 — new service installedSystem Event Log
Registry Run keysSysmon Event ID 12/13 — registry modificationSysmon logs
Startup folderSysmon Event ID 11 — file creation in Startup folderSysmon logs
SSH authorized_keysNew key addedLinux — ~/.ssh/authorized_keys
Web shellSuspicious file in web rootWeb server file system

Phase 4: Detection Query Reference

Find All Activity from a Compromised Host

index=windows sourcetype="WinEventLog:Security" Computer="$HOSTNAME"
| eval event_type = 
    if(EventCode=4624, "Logon - " + LogonType, 
      if(EventCode=4688, "Process - " + NewProcessName,
        if(EventCode=4698, "Scheduled Task - " + TaskName,
          if(EventCode=7045, "Service Install - " + ServiceName, 
            if(EventCode=4720, "New User - " + TargetUserName, "")))))
| where event_type != ""
| table _time, EventCode, event_type, SubjectUserName, Computer
| sort _time

Find All Activity from a Compromised User

index=windows sourcetype="WinEventLog:Security" SubjectUserName="$USERNAME"
| stats values(Computer) as HostsAccessed, values(EventCode) as EventCodes, count by bin(_time, 1h)
| sort _time
| eval alert = "Activity by " . "$USERNAME" . " — accessed " . mvcount(HostsAccessed) . " hosts"
| table _time, HostsAccessed, EventCodes, count, alert

Phase 5: Recovery and Hardening

ControlPhishingDrive-byWeb ExploitVPN/RDP
MFA enforcement✅ Phishing-resistant MFA✅ Required for all VPN access
AppLocker / WDAC✅ Blocks unknown executables✅ Blocks drive-by downloads✅ Blocks web shells from executing
WAF + RASP✅ Blocks exploit payloads
Network segmentation✅ Limits blast radius✅ Limits blast radius✅ Segment web servers from internal✅ Segment VPN from internal
Conditional Access✅ Block impossible travel, require compliant device
Email security✅ DMARC/DKIM/SPF, URL sandboxing

Sources