Initial Access
Details
| ID | PT0003 |
| MITRE ATT&CK ID | TA0001 |
| Created | 2026-06-22 |
| Last Modified | 2026-06-22 |
| Contributors | slashsec |
| Version Permalink | Link |
Description
The adversary is trying to get into the targeted facility or controlled area.
Initial Access consists of techniques that use entry vectors to gain a foothold in a physical environment. Examples include tailgating, social engineering at access points, abuse of valid or default credentials, and bypassing or defeating perimeter controls.
Techniques
| ID | Name | Description |
|---|---|---|
| P0006 | Tailgate | Adversaries may follow authorized personnel through controlled entry points without presenting their own credentials. Tailgating exploits courtesy holds, distraction, or high-traffic periods when doors and turnstiles remain open. |
| P0007 | Social Engineering | Adversaries may manipulate people to obtain access, information, or assistance at a target facility. This includes impersonation, authority appeals, urgency, and other influence tactics at entry points, reception areas, or during escorted movement. |
| P0007.001 | Exploit Business Process | Adversaries may exploit missing, ambiguous, or unenforced business processes to gain access or avoid scrutiny. Weak processes for visitor handling, deliveries, escorts, after-hours access, and contractor workflows can be abused through pretext, policy gaps, or inconsistent enforcement. |
| P0007.002 | Impersonate Staff or Vendor | Adversaries may present themselves as employees, contractors, or vendor personnel to appear legitimate during entry and movement. Impersonation pairs with dress, tools, and behavior expected for the claimed role. |
| P0007.003 | Pose as Visitor or Guest | Adversaries may act as visitors, interview candidates, guests, or event attendees to blend with normal foot traffic. Visitor pretexts often face lighter challenge at reception when appearance and behavior match expected patterns. |
| P0007.004 | Employ Pretext in Conversation | Adversaries may use a prepared cover story when interacting with staff, security, or reception during operations. Consistent pretext in conversation reinforces legitimacy and deflects casual questions about purpose or destination. |
| P0007.005 | Wear Cover Dress | Adversaries may wear clothing, uniforms, PPE, or accessories that match expected roles at the facility during live operations. Cover dress reduces scrutiny compared to out-of-place attire and supports blending with staff, vendors, or visitors. |
| P0007.006 | Employ Pretext via Phone Calls | Adversaries may use a prepared cover story during phone calls to staff, security, reception, or help desks to obtain information or assistance without physical presence at the facility. Phone pretexts can elicit facility details, access procedures, or identities useful for planning and later tactics. |
| P0007.007 | Employ Pretext via Email | Adversaries may use a prepared cover story in email to staff, contractors, or shared mailboxes to obtain information or assistance without physical presence at the facility. Email pretexts can request layouts, visitor procedures, or organizational details that support planning and later tactics. |
| P0008 | Valid Credentials | Adversaries may use legitimate or previously valid credentials to enter controlled areas. This includes badges, keys, PINs, biometric enrollments, or access cards obtained through theft, sharing, cloning, or insider assistance. |
| P0009 | Bypass Physical Access Controls | Adversaries may circumvent physical access controls without exploiting a specific design flaw. Bypass methods defeat or avoid locks, doors, windows, and perimeter barriers through force, manipulation, or alternate paths. |
| P0009.001 | Bypass Window | Adversaries may bypass window-based physical barriers to enter a facility or controlled area. This includes breaking glass, defeating latches, removing panes, or using unsecured or operable windows as entry points. |
| P0009.002 | Bypass Door | Adversaries may bypass door-based access controls to enter restricted areas. This includes lock picking, shimming, forcing doors, removing hinge pins, or exploiting gaps in door hardware (for example, under-the-door tools). |
| P0009.003 | Bypass Perimeter Controls | Adversaries may bypass perimeter security controls such as fencing, gates, bollards, or vehicle barriers. Methods include cutting, climbing, lifting, wedging, or using unmanned access points along the facility boundary. |
| P0010 | Exploit Physical Access Weaknesses | Adversaries may take advantage of misconfigurations, poor maintenance, or unintended gaps in physical security. Exploitation targets weaknesses such as unsecured perimeter controls or openings left unrestricted. |
| P0010.001 | Exploit Perimeter Controls | Adversaries may exploit weaknesses in perimeter controls such as gaps in fencing, inoperative sensors, misaligned gates, or schedules that leave boundaries unmonitored. Exploitation uses the control failure rather than direct force against the barrier. |
| P0010.002 | Exploit Unrestricted Opening | Adversaries may exploit doors, windows, loading docks, or other openings left unlocked, propped open, or without required access controls. Unrestricted openings allow entry without defeating hardware or credentials. |
| P0010.003 | Exploit Request-to-Exit Sensor | Adversaries may exploit request-to-exit sensors that unlock doors from the secure side without credential validation. Triggering motion detectors, pressure mats, or push plates from outside the controlled area can unlock secured doors without valid credentials. |
| P0038 | Manipulate Electronic Access Control | Adversaries may tamper with electronic access hardware such as card readers, PIN pads, and electronic locks, or related wiring and controllers, to bypass, spoof, capture credentials, or hold access in an open state. Manipulated controls can enable initial entry, credential theft, movement between zones, or covert re-entry without valid credentials while appearing operational. |
| P0038.001 | Implant Covert Capture Device | Adversaries may install concealed hardware inside or behind card readers and PIN pads to intercept credential data passed to access controllers. Implants may sit inline on reader wiring or within the enclosure, capturing badge reads and PIN entry for later use while leaving the device outwardly functional. |