RT0x01 Red Teaming Initial Access

Update :)

I’ve been so inactive on social media lately, and meanwhile everything changed. But what the hell was that, bro? Have you all seen the news? 47 0-days at Pwn2Own. Absolutely crazy.

Moments like these remind you why you should never stop grinding. At the same time, it’s insanely motivating seeing how far the security world keeps pushing.

Sorry for not keeping the blog updated. I was busy with some AI pentesting research, spending time on MMA, and handling a few other things in life. But now that I’m back, it’s going to be full-focus hacking mode again.

Hopefully, I’ll continue this Red Teaming / RT series properly, and I’m also planning to upload attack demonstrations and red teaming videos on my new YouTube channel:

YouTube Channel - ntrunr

(Yeah… new channel.) Already crossed 10+ subs. Let’s goo.

Introduction

What is Initial Access According to MITRE?

Initial Access means:

The adversary is trying to get into your network.

In the MITRE ATT&CK Framework, Initial Access is assigned the tactic ID TA0001, which makes perfect sense because this is the very first phase where the attacker gains a foothold inside the target environment.

You probably already know how Initial Access works, so I’m not going to turn this into a whitepaper with massive theory dumps. This is a blog, not a documentation portal.

If you want the official MITRE explanation and all the techniques, check it out here:

MITRE ATT&CK - Initial Access (TA0001)

In this blog, we’ll focus more on the practical side — how attackers actually get into systems and how to think like a real red teamer during that process.

I’ll also talk about why I personally think bug bounty hunters are insanely dangerous when it comes to truly breaking systems and thinking like real attackers. Most red teamers simulate attacks, but bug bounty hunters constantly chase one thing:

Impact.

And trust me… the word Impact alone shakes the nerves of every serious bug bounty hunter.

All the Ways to Get In

There are a lot of ways to gain Initial Access into a target environment, and honestly, it all depends on two things:

• Your target
• Your skill set

And when I say a lot, I really mean it.

Common Initial Access Techniques

• Phishing
• Spearphishing Attachment
• Spearphishing Link
• Spearphishing via Service
• Exploit Public-Facing Application
• Valid Accounts
• Drive-by Compromise
• Supply Chain Compromise
• External Remote Services
• Trusted Relationship
• Hardware Additions
• Replication Through Removable Media
• Cloud-Based Initial Access
• Social Engineering
• Wireless Attacks
• Insider Threat
• Third-Party Software Compromise
• OAuth Abuse
• Identity Provider Abuse
• DNS/Domain Compromise
• Mobile Device Compromise
• IoT Device Exploitation
• VPN Exploitation
• Credential Stuffing
• Password Spraying
• MFA Fatigue
• Token Theft
• Session Hijacking
• Browser Exploitation
• Watering Hole Attacks
• Malvertising
• Rogue Access Point Attacks
• Evil Twin Attacks
• USB Drop Attacks
• CI/CD Pipeline Compromise
• Kubernetes Exposure
• Container Escape for Initial Access
• Exposed Administrative Interfaces
• Default Credential Abuse
• Public Cloud Misconfiguration Abuse
• API Exploitation
• File Upload Exploitation
• SSRF-Based Initial Access
• Deserialization Exploitation
• Authentication Bypass
• RCE Exploitation
• Subdomain Takeover
• Registrar Compromise
• Deepfake Social Engineering
• QR Phishing
• Callback Phishing
• Helpdesk Impersonation
• OAuth Consent Grant Attacks
• SAML Abuse
• Golden SAML
• Browser Extension Malware
• Malicious Package Injection
• Dependency Confusion
• Typosquatting Packages

See? That’s a massive list already.

Now the real question is:

Do you need to know every single one of these techniques?

The answer is both yes and no.

You probably already know half of these terms, even if you don’t realize it yet. But the cybersecurity world changes fast, and now with AI, blogs, research papers, GitHub, and public write-ups, learning has become almost 10x faster than before.

The important thing is not memorizing every technique like a robot.

The important thing is understanding:

• How attackers think
• Why a technique works
• Where it becomes effective
• What kind of targets are vulnerable to it
• And how to adapt during an engagement

In this blog, we’ll focus on some of the most important and practical Initial Access techniques from a red teamer’s perspective. Later on, I’ll also share resources so you can build your own methodology and go deeper into the areas that interest you the most.

1. Phishing (The Boss)

Now it’s time to get our hands dirty.

Phishing is probably the one attack technique that everyone knows about — from corporate employees to even your grandma:

“Don’t click suspicious links.” “Don’t enter your password into untrusted websites.”

And yet, despite all the awareness training, phishing is still responsible for a massive percentage of real-world compromises.

So the real question is:

Why does phishing still work so well?

I went really deep into this question myself, and honestly, it mostly comes down to two things:

• Attacker creativity
• Environment manipulation

A phishing attack is not just about sending a fake login page.

It’s about creating a believable emotional, social, or psychological environment where the victim reacts before thinking.

For example:

If your mother suddenly calls and says she hit a car and urgently needs money, you probably won’t sit there performing threat analysis. You’ll react emotionally first.

That’s exactly what phishing abuses.

This is where social engineering + phishing becomes dangerous:

Hack the human, and the machine gets hacked automatically.

---

Crafting a Realistic Phishing Campaign

Now the real challenge begins:

How do you create a phishing campaign that people actually fall for without immediately triggering alarms?

According to me, good phishing requires a huge amount of planning.

For example:

Instead of randomly targeting employees, a better strategy is often targeting:

• HR
• Managers
• Executives
• Finance personnel
• IT administrators

Why?

Because compromising a higher-level employee gives you leverage over the rest of the organization.

If you compromise a manager’s email account, suddenly your phishing emails become internally trusted.

Now you can target:

• Developers
• Engineers
• Security teams
• Even defenders themselves

And yes…

Defenders can fall for phishing too.

---

Recon Comes First

If we follow the Cyber Kill Chain mindset, by this stage you should already have gathered:

• Employee emails
• Organizational structure
• Technologies used
• Internal workflows
• Third-party vendors
• Cloud services
• Communication platforms

Use tools like:

• Hunter.io
• LinkedIn scraping
• Custom OSINT tooling
• Web scrapers
• Public GitHub leaks
• Metadata collection

Personally, I believe every serious red teamer should build their own OSINT tooling and let it continuously collect data over time.

---

My Phishing Formula

If you want to create a strong phishing campaign, the formula I use is:

Phishing = OSINT + Social Engineering + Decoy + Payload

Or mathematically:

P(t) = f(O, S, D, L)

P = Phishing Campaign
O = OSINT
S = Social Engineering
D = Decoy
L = Payload / Link / Executable

I’m honestly a huge fan of the MITRE ATT&CK mindset, so I like modeling attacks this way.

---

Payloads Matter Too

A phishing campaign is useless if your payload strategy is weak.

One technique I personally like is DLL hijacking because:

• It is practical
• Often overlooked
• Frequently works in enterprise environments
• Many applications load DLLs insecurely during startup

A lot of corporate systems auto-launch software like Microsoft Teams at startup, and insecure DLL search paths can sometimes be abused during that process.

I’m not going to explain payload creation here because that belongs in the payload development section later.

But what I will say is:

Good recon matters here too.

While studying real-world incidents involving companies like Sony and Acer, I noticed many applications still reference unwanted or insecure paths that attackers may abuse.

If you run:

echo %PATH%

And you see random programming language paths or insecure writable directories appearing before secure system locations like System32, congratulations…

You may already be exposed to DLL hijacking risks.

Create the DLL.

Prepare execution.

Choose the target location.

---

Modern Phishing Is More Than Fake Login Pages

A phishing attack is not limited to credential harvesting anymore.

Modern phishing campaigns may deliver:

• Malware
• Ransomware
• Loaders
• DLL hijacking setups
• LNK execution chains
• HTA/MSI payloads
• Office macro droppers

---

Bad Phishing vs Realistic Phishing

Would you fall for something like this?

Probably not.

Now compare that to something more realistic with proper social engineering and believable warnings:

The difference is massive.

The first one screams “scam.”

The second one creates urgency, authority, and trust manipulation.

That’s the real art of phishing.

---

MITRE ATT&CK and Phishing

According to the MITRE ATT&CK Framework:

“Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering.”

Official MITRE phishing categories include:

• Spearphishing Attachment
• Spearphishing Link
• Spearphishing via Service
• Spearphishing Voice

But honestly, in the real APT world, phishing goes way beyond those categories.

---

1. Email-Based Phishing

Bulk Phishing
Spearphishing
Whaling
BEC (Business Email Compromise)
Thread Hijacking
Conversation Hijacking
Vendor Email Compromise
Payroll Phishing
Invoice Phishing
OAuth Consent Phishing
MFA Fatigue + Phishing Combo
Attachment-based Phishing
Link-based Phishing
HTML Smuggling
QR Phishing (Quishing)
Calendar Invite Phishing

---

2. Credential Harvesting

Fake Login Portals
SSO Phishing
Reverse Proxy Phishing
Adversary-in-the-Middle (AiTM)
Token Theft Phishing
Session Cookie Theft
Browser-in-the-Browser (BitB)
CAPTCHA Phishing
Cloud Service Impersonation

---

3. Payload Delivery

Macro Documents
LNK Payloads
ISO/VHD Payloads
OneNote Payloads
CHM Payloads
HTML Smuggling Payloads
PDF Lure Payloads
Executable Masquerading
DLL Side-Loading Delivery
Signed Malware Delivery

---

4. Messaging & Communication Phishing

Smishing (SMS)
Vishing (Voice)
Teams/Slack/Discord Phishing
WhatsApp Phishing
Telegram Impersonation
Social Media DM Phishing
LinkedIn Recruitment Phishing
QR-Based Messaging Phishing

---

5. Infrastructure & Delivery Tricks

Typosquatting Domains
Homoglyph Domains
Subdomain Takeover Lures
Open Redirect Abuse
URL Shortener Abuse
Cloudflare Tunnel Delivery
Trusted Service Abuse
Google Docs / OneDrive Abuse
Dropbox Delivery
GitHub Release Delivery
CDN-Based Payload Hosting

---

6. Advanced APT-Style Phishing

Multi-Stage Phishing
OSINT-Driven Personalized Lures
Deepfake Voice Phishing
Deepfake Video Meetings
Physical + Digital Combo
USB Drop Campaigns
QR-to-Phishing Chains
Device Code Phishing
OAuth App Impersonation
MFA Relay Attacks
Evilginx-style AiTM

Honestly, these are just the categories I could think of and collect.

I even asked LLM for phishing categories and somehow it kept pulling data from Mitre again and again.

---

Choosing the Right Target Path

At the end of the day, phishing is about objectives.

Before launching a campaign, ask yourself:

• What is the goal?
• Initial access?
• Credential theft?
• Persistence?
• Internal pivoting?
• Payload execution?
• Cloud compromise?

Then decide:

• Which path gives the highest success probability?
• Which users are most vulnerable?
• Which infrastructure looks believable?
• What backup plans exist if the first approach fails?

If I had to prioritize high value enterprise targets right now, I’d probably think in this order:

Executive Targeting
> Finance Department Targeting
> HR Recruitment Targeting
> IT Helpdesk Impersonation
> Developer Targeting
> SOC Analyst Targeting
> Third-Party Vendor Targeting

---

Final Thoughts

There’s honestly way more to phishing than what I covered here.

I could probably talk about phishing all day long.

And now with AI agents everywhere, the future becomes even more interesting because:

AI loves clicking links too.

But that discussion deserves its own section.

This blog already turned into a phishing deep dive so let’s move into the next Initial Access category and today is sunday so I want to sleep.

2. Drive-by Compromise

This one is honestly scary because the victim sometimes does absolutely nothing except visiting a website.

That’s it.

No payload download popup. No obvious malware installer. No “please run this file.” Just opening a webpage can sometimes be enough.

This is what makes Drive-by Compromise such a dangerous Initial Access technique.

According to the MITRE ATT&CK Framework, Drive-by Compromise is when an attacker compromises a website and uses it to infect visitors automatically or semi-automatically.

And the funniest part?

Most people still think:

“If I don’t download anything, I’m safe.”

Yeah… not really.

---

How Does It Actually Work?

The basic idea is simple:

Victim Visits Website
        ↓
Malicious Script Executes
        ↓
Browser / Plugin / Extension Vulnerability Triggered
        ↓
Payload Delivery or Session Compromise

Sometimes the attack abuses:

• Browser vulnerabilities
• JavaScript execution
• Malicious ads
• Third-party scripts
• Browser extensions
• Fake software updates
• Watering hole attacks
• Drive-by download chains

The victim may not even realize something happened.

---

Watering Hole Attacks

This is where things become really interesting.

Instead of targeting the victim directly, attackers compromise websites that the target already trusts.

For example:

• Internal employee portals
• Industry forums
• Developer communities
• Government sites
• Vendor dashboards
• Gaming forums
• Crypto tools
• Niche research websites

Now imagine a red team knows that developers inside a company constantly visit a specific documentation website.

Instead of attacking the company directly…

Why not compromise the documentation site itself?

That’s the mindset.

---

Browser = Attack Surface

People massively underestimate browsers.

Modern browsers basically became operating systems themselves.

Think about what lives inside your browser:

• Saved passwords
• Session tokens
• Cookies
• OAuth sessions
• Cloud dashboards
• Extensions
• Developer tools
• Internal applications

Compromising the browser can sometimes be more valuable than compromising the machine itself.

Especially in cloud-heavy environments.

---

Malvertising

Another classic.

Attackers buy or abuse advertisement networks to inject malicious code into ads.

So now users get compromised while browsing completely legitimate websites.

And yes…

This has happened many times in the real world.

The website itself may not even be hacked.

The ad network becomes the attack vector.

---

Fake Updates (Still Works…)

One thing I learned:

Never underestimate fake update pages.

Seriously.

Fake:

• Chrome updates
• Zoom updates
• Teams updates
• VPN updates
• Browser codec installs

Still work surprisingly well in many environments.

Why?

Because users are trained to constantly install updates.

Attackers abuse that behavior.

---

The Real Goal

A Drive-by Compromise is rarely “just malware.”

Usually the attacker wants something bigger:

• Initial access
• Session hijacking
• Browser token theft
• Cloud compromise
• Persistence
• Internal pivoting
• Credential harvesting

And sometimes the victim never even notices where it started.

---

Red Team Mindset

If you think like a red teamer, the question becomes:

What websites does the target trust enough to lower their guard?

That single question changes everything.

Because in real-world operations:

Trust is often the real vulnerability.

---

3. Exploit Public-Facing Application

Now this…

This is where bug bounty hunters become absolute monsters.

According to the MITRE ATT&CK Framework, Exploit Public-Facing Application means attackers exploit vulnerabilities in internet-facing applications to gain access into the target environment.

And honestly?

This is one of the most dangerous Initial Access vectors in the real world because companies must expose applications to the internet.

You cannot run a modern company without:

• Web applications
• APIs
• VPN portals
• Cloud dashboards
• Authentication systems
• Admin panels
• Mobile backends
• Third-party integrations

And every exposed service becomes an attack surface.

---

Why This Attack Vector Is So Powerful

The biggest advantage here is simple:

The attacker does not need user interaction.

No phishing. No social engineering. No convincing the victim.

If the application is vulnerable, the attacker can directly attack the infrastructure itself.

That’s why vulnerabilities like:

• RCE
• SSRF
• Authentication bypass
• File upload bugs
• Deserialization
• SQL Injection
• Path traversal
• API misconfigurations

Lets have a look at BC VRT

Become insanely dangerous in real-world environments.

One bug can become:

Internet
    ↓
Public Application
    ↓
Initial Access
    ↓
Internal Network
    ↓
Domain Compromise

And yes…

That escalation happens more often than people think.

---

Why Bug Bounty Hunters Are Dangerous Here

This is exactly why I keep saying:

Bug bounty hunters are built differently when it comes to attacking applications.

Because bug bounty hunters spend years doing one thing:

Finding weird behavior
        +
Chaining vulnerabilities
        +
Thinking about impact

That mindset becomes extremely dangerous.

A traditional pentest sometimes focuses on:

• Following checklists
• Reporting standard findings
• Simulating realistic boundaries

But bug bounty hunters?

They constantly ask:

“What happens if I abuse this in a completely unintended way?”

That single question creates chaos.

---

The “Impact” Mentality

One thing I noticed after reading hundreds of bug bounty writeups:

Bug bounty hunters are obsessed with Impact.

And honestly, they should be.

Because a small-looking vulnerability can sometimes become catastrophic when chained correctly.

For example:

SSRF
    +
Internal Metadata Access
    +
Cloud Credentials
    +
Privilege Escalation
    =
Full Cloud Compromise

Or:

File Upload
    +
Path Traversal
    +
Misconfigured Execution
    =
Remote Code Execution

This is why public-facing applications are so dangerous.

Attackers do not think in isolated bugs.

They think in chains.

---

Real Red Team Thinking

When attacking a public-facing application, a real attacker usually asks:

• What is exposed?
• What should not be exposed?
• What trusts this application?
• Does it connect internally?
• Does it talk to cloud services?
• Are there hidden admin panels?
• Are APIs leaking data?
• Can functionality be abused logically?
• Can I pivot from this system?

That’s where the real game starts.

---

Recon Changes Everything

Most successful exploitation does not begin with exploitation.

It begins with recon.

A good attacker will spend days or even weeks collecting:

• Subdomains
• Historical endpoints
• JavaScript files
• API routes
• Mobile application traffic
• Archived URLs
• Cloud buckets
• Internal references
• GitHub leaks
• Technology fingerprints

Sometimes the actual vulnerability is found in minutes.

The hard part is finding the attack surface.

---

Modern Attack Surface Is Massive

Today’s applications are no longer simple PHP websites.

Modern environments contain:

• Microservices
• Kubernetes
• APIs
• Serverless functions
• OAuth flows
• SSO integrations
• CI/CD pipelines
• AI integrations
• Cloud storage systems
• Edge services

And every integration creates another possible entry point.

---

The Attacker Advantage

Defenders must secure everything.

Attackers only need one mistake.

That’s why public-facing applications remain one of the strongest Initial Access vectors in existence.

Especially when the attacker understands:

• Web security
• Cloud environments
• Business logic abuse
• Authentication systems
• API behavior
• Infrastructure design

And this is exactly why elite bug bounty hunters are terrifying.

Because they don’t just test applications.

They study how systems behave under abuse.

---

Final Thoughts

If phishing is the art of hacking humans…

Then exploiting public-facing applications is the art of hacking architecture itself.

And trust me:

The deeper you go into web exploitation, the more you realize that modern applications are basically giant interconnected trust systems waiting to be abused.

Closing Note

I know there are still a lot of Initial Access techniques that I did not fully cover in this blog.

And honestly… that was intentional.

The reason is simple: I love going deep into topics. I don’t like just throwing definitions, buzzwords, or surface-level explanations and calling it learning. That has never really been my style.

Most of these techniques deserve:

• Practical demonstrations
• Infrastructure setup
• OPSEC considerations and Detection evasion

And without actually showing the practical side through videos, labs, demos, or walkthroughs it becomes really hard to explain them properly. but I have set up my home lab so we can have some fun.

Some attack chains only make sense when you actually see them happening.

That’s why instead of trying to cram 50 techniques into one giant blog, I wanted to focus more on the mindset behind Initial Access:

I’ll probably go deeper into many of these topics later through:

• Dedicated blogs
• Videos
• Labs
• Payload development walkthroughs
• Red team simulations
• Research notes

Because trust me…

Some of these techniques deserve entire series on their own.

Also, with AI, cloud infrastructure, identity attacks, and modern phishing evolving so fast, Initial Access is becoming even crazier than before. The attack surface is growing every single day.

Anyway, hopefully this blog gave you a better understanding of how real attackers and red teamers think during the Initial Access phase.

And remember:

Initial Access is not just about getting into a system.

It’s about understanding trust well enough to break it.

also if you hack for living please join Netrunners Discord Server : https://discord.gg/WyPuBvPD3Z

or just send me DM at : ntrunr

References

MITRE ATT&CK & Threat Intelligence

• MITRE ATT&CK - Initial Access (TA0001)
• MITRE ATT&CK Framework
• MITRE ATT&CK - Phishing (T1566)
• MITRE ATT&CK - Drive-by Compromise (T1189)
• MITRE ATT&CK - Exploit Public-Facing Application (T1190)
• MITRE ATT&CK - Valid Accounts (T1078)
• MITRE ATT&CK - External Remote Services (T1133)

---

Phishing & Social Engineering

• OWASP - OSINT & Phishing Presentation
• The Human Factor in Social Engineering
• Google - Protecting Against Phishing
• Microsoft Security - Phishing Attacks

---

Red Teaming & Adversary Simulation

• Red Team Field Manual (RTFM)
• The Hacker Playbook 3
• SpecterOps Blog
• Red Canary Threat Detection Reports
• Mandiant Threat Intelligence Blog

---

Web Exploitation & Bug Bounty

• PortSwigger Web Security Academy
• OWASP Web Security Testing Guide
• HackerOne Hacktivity
• Bugcrowd VRT (Vulnerability Rating Taxonomy)
• PayloadsAllTheThings
• HackTricks

---

OSINT & Reconnaissance

• SpiderFoot
• Maltego
• theHarvester
• Amass
• Recon-ng

---

Cloud & Identity Attacks

• Microsoft - OAuth Attacks Explained
• AWS Security Best Practices
• Google Cloud Security Documentation
• Azure Security Documentation

---

Malware Development & Tradecraft Research

• LOLBAS Project
• Unprotect Project
• VX Underground
• Malware Traffic Analysis
• Any.Run Interactive Sandbox

---

Learning Platforms

• Hack The Box
• TryHackMe
• PentesterLab
• CRTO - Certified Red Team Operator

• PortSwigger Academy Labs