Joint Cybersecurity Advisory: Weak Security Controls and Practices Routinely Exploited for Initial Access [open pdf - 621KB]
From the Summary: "Cyber actors routinely exploit poor security configurations (either misconfigured or left unsecured), weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victims' system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues."
Joint Cybersecurity Advisory AA22-137A
U.S. Department of Defense: https://www.defense.gov/