ctipilot.ch

ATT&CK coverage matrix

Every technique this pipeline has evidence for, on the full MITRE ATT&CK Enterprise matrix. Mappings are derived from published entries only — an entity or CVE maps a technique exactly when a published entry ties them together. Pick entities below to compare their TTP overlap the way an ATT&CK Navigator layer would show it.

Pinned dataset: MITRE ATT&CK Enterprise v19.1 (upstream 2026-05-12) · 237 of 697 active techniques covered (119 of 222 parent · 118 sub) · 325 entities with mappings · updated via tools/attack_data.py · definitions © The MITRE Corporation

Cell shading = published-entry coverage of the technique or its sub-techniques (1 · 2–3 · 4–7 · 8+). ▸ marks covered/total sub-techniques. Click a cell for definition and evidence.

Covered techniques — definitions & evidence

Reconnaissance TA0043

T1590Gather Victim Network Information×2

Adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

JDY botnet ×1

Evidence: 2026-06-23/elastic-shows-how-the-newly-ga-azure-ad-graph-activity-logs · 2026-06-11/black-lotus-labs-the-volt-typhoon-linked-jdy-botnet-doubles · ATT&CK page ↗

T1593Search Open Websites/Domains×1

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.

Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗

T1595Active Scanning×1

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1

Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · ATT&CK page ↗

T1595.002Active Scanning: Vulnerability Scanning×1

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

JDY botnet ×1

Evidence: 2026-06-11/black-lotus-labs-the-volt-typhoon-linked-jdy-botnet-doubles · ATT&CK page ↗

T1598Phishing for Information×1

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.

Evidence: 2026-05-31/signal-support-impersonation-phishing-harvests-cloud-backup · ATT&CK page ↗

T1598.003Phishing for Information: Spearphishing Link×3

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

Screening Serpens ×1 Security-tool impersonation TDS campaign ×1

Evidence: 2026-06-27/fbi-cisa-russian-intelligence-now-phishing-signal-backup-rec · 2026-06-22/ebanking-phishing-hides-its-landing-page-address-in-ipv4-map · 2026-05-27/nimbus-manticore-unc1549-screening-serpens-check-point-detai · ATT&CK page ↗

Resource Development TA0042

T1583.001Acquire Infrastructure: Domains×2

Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

GemStuffer ×1 Mini Shai-Hulud ×1 Qilin ×1 TeamPCP ×1

Evidence: 2026-05-14/gemstuffer-rubygems-weaponised-as-a-one-way-exfiltration-cha · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗

T1584Compromise Infrastructure×1

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle. Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Booking.com-fed hotel phishing (CH) ×1 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×1 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×1 Ivanti EPMM remote authenticated → administrative-access via improper access control (CVSS 8.8, May 2026 update) ×1 Ivanti EPMM unauthenticated arbitrary method invocation (CVSS 7.0, May 2026 update) ×1 Ivanti EPMM — fourth companion CVE in May 2026 EPMM update (high-severity per BleepingComputer / SecurityWeek) ×1

Evidence: 2026-05-04/cve-2026-6973-cve-2026-5787-ivanti-epmm-on-prem-pre-auth-cha · ATT&CK page ↗

T1584.005Compromise Infrastructure: Botnet×1

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).

JDY botnet ×1

Evidence: 2026-06-11/black-lotus-labs-the-volt-typhoon-linked-jdy-botnet-doubles · ATT&CK page ↗

T1584.007Compromise Infrastructure: Serverless×2
T1586.002Compromise Accounts: Email Accounts×1

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct Phishing for Information, Phishing, or large-scale spam email campaigns. Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship with, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: Domains).

PDAG email-account compromise ×1

Evidence: 2026-07-09/pdag-aargau-email-account-compromise-spam-relay · ATT&CK page ↗

T1608.006Stage Capabilities: SEO Poisoning×1

Adversaries may poison mechanisms that influence search engine optimization (SEO) to further lure staged capabilities towards potential victims. Search engines typically display results to users based on purchased ads as well as the site’s ranking/score/reputation calculated by their web crawlers and algorithms.

Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · ATT&CK page ↗

T1650Acquire Access×1

Adversaries may purchase or otherwise acquire an existing access to a target system or network. A variety of online services and initial access broker networks are available to sell access to previously compromised systems. In some cases, adversary groups may form partnerships to share compromised systems with each other.

Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-05-22/teampcp-mini-shai-hulud-unit-42-and-stepsecurity-confirm-sls · ATT&CK page ↗

Initial Access TA0001

T1078Valid Accounts×45

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗

T1078.001Valid Accounts: Default Accounts×4

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more

Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗

T1078.002Valid Accounts: Domain Accounts×1

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.

Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1

Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗

T1078.004Valid Accounts: Cloud Accounts×26

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more

Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗

T1091Replication Through Removable Media×1

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

Gamaredon ×1

Evidence: 2026-06-01/gamaredon-gammaphish-gammaworm-ntfs-ads-usb-gammasteel-s3-ex · ATT&CK page ↗

T1133External Remote Services×12

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Akira ×5 Groupe 3R ransomware breach ×2 Akira kill-chain reconstruction (SANS ISC) ×1 AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 GREYVIBE ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 +7 more

Evidence: 2026-07-03/cve-2026-13368-watchguard-fireware-iked-pre-auth-rce · 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri +7 more · ATT&CK page ↗

T1189Drive-by Compromise×4
T1190Exploit Public-Facing Application×91
T1195Supply Chain Compromise×12
T1195.001Supply Chain Compromise: Compromise Software Dependencies and Development Tools×7

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications, such as pip and NPM packages, may be targeted as a means to add malicious code to users of the dependency. This may also include abandoned packages, which in some cases could be re-registered by threat actors after being removed by adversaries. Adversaries may also employ "typosquatting" or name-confusion by choosing names similar to existing popular libraries or packages in order to deceive a user.

TrapDoor ×1 UNK_DeadDrop ×1

Evidence: 2026-06-30/hijacked-npm-and-go-packages-weaponise-vs-code-s-folderopen · 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-18/15-malicious-jetbrains-marketplace-plugins-exfiltrate-ai-pro +2 more · ATT&CK page ↗

T1195.002Supply Chain Compromise: Compromise Software Supply Chain×30

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

TeamPCP ×7 Mini Shai-Hulud ×4 IronWorm ×2 Living Off the Pipeline ×2 PCPJack ×2 TrapDoor ×2 actions-cool/issues-helper compromise ×1 Atomic Arch ×1 +21 more

Evidence: 2026-07-09/git-signature-malleability-github-verified-commit-ghost-twin · 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary · 2026-06-25/cordyceps-the-github-actions-pull-request-target-pwn-request · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-23/shapedplugin-build-pipeline-compromised-three-pro-wordpress +25 more · ATT&CK page ↗

T1199Trusted Relationship×3

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Entra Agent ID OBO abuse ×1 Icarus Salesforce OAuth extortion ×1 Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-06-25/klue-icarus-salesforce-oauth-breach-beyondtrust-and-lastpass · 2026-06-10/red-canary-microsoft-entra-agent-id-abuse-obo-oauth-flow-tur · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗

T1566Phishing×18
T1566.001Phishing: Spearphishing Attachment×8

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Booking.com-fed hotel phishing (CH) ×1 FrostyNeighbor March–May 2026 campaign ×1 GREYVIBE ×1 GTIG Europe Data Leak Landscape 2025 ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1 Operation Dragon Weave ×1 Operation XENOFISCAL ×1 Secret Blizzard ×1 +2 more

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-24/swiss-post-cybersecurity-publishes-its-inaugural-swiss-threa · 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g +3 more · ATT&CK page ↗

T1566.002Phishing: Spearphishing Link×12

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

Booking.com-fed hotel phishing (CH) ×2 ARToken ×1 FrostyNeighbor March–May 2026 campaign ×1 GREYVIBE ×1 GTIG Europe Data Leak Landscape 2025 ×1 Job-seeker targeting wave (CH) ×1 LLMShare ×1 Microsoft 365 Copilot Enterprise Search 'SearchLeak' command-injection/info-disclosure; one-click exfil; patched server-side ×1 +2 more

Evidence: 2026-07-09/unc1151-ghostwriter-gmail-realtime-2fa-phishing · 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · 2026-06-16/varonis-searchleak-cve-2026-42824-one-click-m365-copilot-dat · 2026-06-16/dprk-unk-deaddrop-weaponises-vs-code-cursor-auto-run-to-hit · 2026-06-10/ncsc-ch-week-23-coordinated-surge-in-job-seeker-targeting-fa +7 more · ATT&CK page ↗

T1566.003Phishing: Spearphishing via Service×2

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

Booking.com-fed hotel phishing (CH) ×1 JINX-0164 ×1 Job-seeker targeting wave (CH) ×1

Evidence: 2026-06-10/ncsc-ch-week-23-coordinated-surge-in-job-seeker-targeting-fa · 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · ATT&CK page ↗

T1566.004Phishing: Spearphishing Voice×5

Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.

ShinyHunters ×3 GTIG Europe Data Leak Landscape 2025 ×1 MuddyWater ×1 Odido (Netherlands telecom) ShinyHunters breach ×1 Silent Ransom Group physical USB intrusions ×1 UNC6671 ×1

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-06-26/shinyhunters-used-a-single-vishing-call-into-the-company-s-i · 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-05-16/gtig-unc6671-blackfile-vishing-aitm-rogue-mfa-programmatic-s · 2026-05-08/muddywater-iran-mois-deploys-chaos-ransomware-as-false-flag · ATT&CK page ↗

T1659Content Injection×1

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.

Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Execution TA0002

T1047Windows Management Instrumentation×2

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems. WMI is an administration feature that provides a uniform environment to access Windows system components.

Akira ×2 Bumblebee → AdaptixC2 → Akira intrusion ×1 Qilin ×1 The Gentlemen ×1

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-04/akira-playbook-quarterly-context-q1-2026-healthcare-concentr · ATT&CK page ↗

T1053Scheduled Task/Job×2

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Security-tool impersonation TDS campaign ×1 The Gentlemen ×1 TrapDoor ×1

Evidence: 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.003Scheduled Task/Job: Cron×2

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

TrapDoor ×1

Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.005Scheduled Task/Job: Scheduled Task×10

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Security-tool impersonation TDS campaign ×2 Avalon ×1 CrySome RAT ×1 FrostyNeighbor March–May 2026 campaign ×1 INC Ransom ×1 Kimsuky ×1 Operation XENOFISCAL ×1 ScarCruft ×1 +2 more

Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self +5 more · ATT&CK page ↗

T1059Command and Scripting Interpreter×38

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.

Booking.com-fed hotel phishing (CH) ×6 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2 TrapDoor ×2 0DIN coding-agent prompt-injection chain ×1 Agentjacking ×1 +62 more

Evidence: 2026-07-03/cve-2026-34038-coolify-authenticated-command-injection-to-rc · 2026-07-02/kemp-loadmaster-cve-2026-8037-exploitation-attempts-confirme · 2026-07-02/argo-cd-repo-server-unauthenticated-rce-no-cve-unpatched-18 · 2026-06-29/mozilla-0din-a-clean-github-repo-coerces-ai-coding-agents-in · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat +33 more · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×10

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Booking.com-fed hotel phishing (CH) ×1 CrySome RAT ×1 FamousSparrow Azerbaijan intrusion ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 GREYVIBE ×1 Job-seeker targeting wave (CH) ×1 Kimsuky ×1 Living Off the Pipeline ×1 +3 more

Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-10/ncsc-ch-week-23-coordinated-surge-in-job-seeker-targeting-fa · 2026-06-07/sans-isc-wetransfer-delivered-javascript-stages-a-steganogra · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g +5 more · ATT&CK page ↗

T1059.003Command and Scripting Interpreter: Windows Command Shell×3

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.

Embargo ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1 Pwn2Own Berlin 2026 ×1 Webworm ×1

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · 2026-05-21/webworm-china-aligned-shifts-to-eu-government-targets-echocr · 2026-05-17/pwn2own-berlin-2026-master-of-pwn-outcomes-the-new-ai-agents · ATT&CK page ↗

T1059.004Command and Scripting Interpreter: Unix Shell×15
T1059.005Command and Scripting Interpreter: Visual Basic×3

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.

SmartApeSG ClickFix campaign ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1

Evidence: 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · 2026-06-01/smartapesg-clickfix-stages-an-unnamed-rat-that-pivots-to-a-w · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python×9

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2 AryStinger ×1 ChromaDB Python FastAPI server pre-auth RCE via embedding-function model loading before auth check (CVSS 4.0 = 10.0; v1.5.9 unpatched at disclosure) ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Edgecution ×1 JDownloader official site compromised ×1 LangGraph Redis checkpointer RediSearch query injection (CVSS 6.5; fixed @langchain/langgraph-checkpoint-redis 1.0.1) ×1 +9 more

Evidence: 2026-06-30/hijacked-npm-and-go-packages-weaponise-vs-code-s-folderopen · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-16/obsidian-security-a-three-cve-chain-turns-any-litellm-user-i · 2026-06-13/check-point-chains-sql-injection-to-rce-in-langgraph-s-check +4 more · ATT&CK page ↗

T1059.007Command and Scripting Interpreter: JavaScript×16
T1072Software Deployment Tools×3
T1106Native API×1

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

RemotePE ×1

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1127.001Trusted Developer Utilities Proxy Execution: MSBuild×1

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.

Avalon ×1

Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · ATT&CK page ↗

T1197BITS Jobs×1

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗

T1203Exploitation for Client Execution×5

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 FFmpeg parser/demuxer heap or stack overflow (depthfirst AI-agent discovery; PoC public, fixed upstream) ×1 +4 more

Evidence: 2026-06-10/cve-2026-11645-google-chrome-v8-out-of-bounds-read-write-exp · 2026-06-07/cve-2026-10881-google-chrome-angle-graphics-engine-out-of-bo · 2026-06-07/an-autonomous-ai-agent-finds-21-zero-days-in-ffmpeg-for-1-00 · 2026-06-05/university-of-toronto-vector-institute-a-self-propagating-wo · 2026-06-05/redis-cve-2026-23479-a-public-use-after-free-got-overwrite-r · ATT&CK page ↗

T1204User Execution×8
T1204.001User Execution: Malicious Link×4

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

GREYVIBE ×1 LLMShare ×1 SmartApeSG ClickFix campaign ×1

Evidence: 2026-06-24/macos-clickfix-evolves-hdiutil-attach-nobrowse-mounts-the-ma · 2026-06-01/smartapesg-clickfix-stages-an-unnamed-rat-that-pivots-to-a-w · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p · 2026-05-30/greyvibe-newly-documented-russia-nexus-cluster-deploys-five · ATT&CK page ↗

T1204.002User Execution: Malicious File×7

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, .cpl, .reg, and .iso.

Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Edgecution ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1 Megalodon ×1 Operation Endgame — Amadey/StealC takedown ×1 Operation Endgame — SocGholish expansion ×1 +3 more

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · 2026-06-19/operation-endgame-expands-to-socgholish-ta569-106-c2-servers · 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp +2 more · ATT&CK page ↗

T1204.003User Execution: Malicious Image×1

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via Upload Malware, and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.

Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · ATT&CK page ↗

T1559Inter-Process Communication×1

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Edgecution ×1

Evidence: 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗

T1574Hijack Execution Flow×5

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

Akira ×1 Apex2 ×1 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cybercrime-underground AI adoption ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Operation Dragon Weave ×1 +3 more

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · 2026-05-22/cve-2026-34926-trend-micro-apex-one-on-premise-post-auth-dir · 2026-05-10/sophos-beagle-backdoor-distributed-via-fake-claude-ai-site-u · ATT&CK page ↗

T1574.001Hijack Execution Flow: DLL×15

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Akira ×2 Calypso telco espionage campaign ×2 Stock-exchange mailbox espionage ×2 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cavern ×1 Cavern Manticore ×1 Cybercrime-underground AI adoption ×1 +13 more

Evidence: 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · 2026-06-30/mustang-panda-abuses-zoho-workdrive-as-a-dead-drop-c2-channe · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware +10 more · ATT&CK page ↗

T1574.008Hijack Execution Flow: Path Interception by Search Order Hijacking×1

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Screening Serpens ×1 Security-tool impersonation TDS campaign ×1

Evidence: 2026-05-27/nimbus-manticore-unc1549-screening-serpens-check-point-detai · ATT&CK page ↗

T1574.014Hijack Execution Flow: AppDomainManager×2

Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.

Screening Serpens ×1

Evidence: 2026-06-28/unit-42-chinese-speaking-cluster-cl-sta-1062-deploys-the-new · 2026-05-23/unit-42-iran-s-screening-serpens-unc1549-smoke-sandstorm-nim · ATT&CK page ↗

T1610Deploy Container×2

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment. In Kubernetes environments, an adversary may attempt to deploy a privileged or vulnerable container into a specific node in order to Escape to Host and access other containers running on the node.

Gogs argument-injection RCE ×1 Gogs argument-injection RCE (CVE-2026-52806); now actively exploited in K8s cryptojacking campaign (Wiz) ×1 Linux kernel cgroup v1 release_agent container escape (missing CAP_SYS_ADMIN check); CISA KEV 2026-06-02 ×1

Evidence: 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · ATT&CK page ↗

T1651Cloud Administration Command×1

Adversaries may abuse cloud management services to execute commands within virtual machines. Resources such as AWS Systems Manager, Azure RunCommand, and Runbooks allow users to remotely run scripts in virtual machines by leveraging installed virtual machine agents.

Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · ATT&CK page ↗

Persistence TA0003

T1053Scheduled Task/Job×2

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Security-tool impersonation TDS campaign ×1 The Gentlemen ×1 TrapDoor ×1

Evidence: 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.003Scheduled Task/Job: Cron×2

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

TrapDoor ×1

Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.005Scheduled Task/Job: Scheduled Task×10

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Security-tool impersonation TDS campaign ×2 Avalon ×1 CrySome RAT ×1 FrostyNeighbor March–May 2026 campaign ×1 INC Ransom ×1 Kimsuky ×1 Operation XENOFISCAL ×1 ScarCruft ×1 +2 more

Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self +5 more · ATT&CK page ↗

T1078Valid Accounts×45

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗

T1078.001Valid Accounts: Default Accounts×4

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more

Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗

T1078.002Valid Accounts: Domain Accounts×1

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.

Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1

Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗

T1078.004Valid Accounts: Cloud Accounts×26

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more

Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗

T1098Account Manipulation×5
T1098.001Account Manipulation: Additional Cloud Credentials×1

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

ARToken ×1

Evidence: 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · ATT&CK page ↗

T1098.004Account Manipulation: SSH Authorized Keys×1

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 UAT-8616 ×1

Evidence: 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗

T1098.005Account Manipulation: Device Registration×4
T1112Modify Registry×2
T1133External Remote Services×12

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Akira ×5 Groupe 3R ransomware breach ×2 Akira kill-chain reconstruction (SANS ISC) ×1 AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 GREYVIBE ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 +7 more

Evidence: 2026-07-03/cve-2026-13368-watchguard-fireware-iked-pre-auth-rce · 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri +7 more · ATT&CK page ↗

T1136Create Account×5
T1136.001Create Account: Local Account×6
T1136.002Create Account: Domain Account×1

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.

Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · ATT&CK page ↗

T1176Software Extensions×1

Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms. Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application.

BadBlocker ×1

Evidence: 2026-06-28/island-badblocker-an-11m-user-chrome-ad-blocker-is-one-serve · ATT&CK page ↗

T1197BITS Jobs×1

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗

T1505Server Software Component×5
T1505.003Server Software Component: Web Shell×20
T1542Pre-OS Boot×1

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.

Booking.com-fed hotel phishing (CH) ×1 GreatXML ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1 RoguePlanet ×1

Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · ATT&CK page ↗

T1542.001Pre-OS Boot: System Firmware×2

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.

Booking.com-fed hotel phishing (CH) ×2 Nightmare Eclipse ×2 Nightmare Eclipse Windows zero-day series ×2 GreatXML ×1 RoguePlanet ×1

Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗

T1542.003Pre-OS Boot: Bootkit×1

Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

usbliter8 ×1

Evidence: 2026-06-20/usbliter8-a-permanent-securerom-boot-chain-exploit-for-apple · ATT&CK page ↗

T1543Create or Modify System Process×3

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

RemotePE ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1

Evidence: 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗

T1543.001Create or Modify System Process: Launch Agent×3

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

JINX-0164 ×1 Living Off the Pipeline ×1 macOS.Gaslight ×1

Evidence: 2026-06-26/macos-gaslight-a-dprk-aligned-rust-backdoor-that-targets-the · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · ATT&CK page ↗

T1543.002Create or Modify System Process: Systemd Service×3

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Apex2 ×1 c2c / meow ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1

Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗

T1543.003Create or Modify System Process: Windows Service×2

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

RemotePE ×1 The Gentlemen ×1

Evidence: 2026-06-19/eset-the-gentlemen-raas-gang-centrally-builds-and-maintains · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1546Event Triggered Execution×1

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.

Megalodon ×1

Evidence: 2026-05-23/megalodon-mass-poisons-5-561-github-repos-in-a-6-hour-window · ATT&CK page ↗

T1547Boot or Logon Autostart Execution×4

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

GTIG Europe Data Leak Landscape 2025 ×1 Living Off the Pipeline ×1 PamStealer ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1

Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×6

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×2 FrostyNeighbor March–May 2026 campaign ×1 GTIG Europe Data Leak Landscape 2025 ×1 Operation XENOFISCAL ×1 Secret Blizzard ×1

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury +1 more · ATT&CK page ↗

T1547.013Boot or Logon Autostart Execution: XDG Autostart Entries×1

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.

Miasma ×1

Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗

T1554Compromise Host Software Binary×1

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.

Velvet Ant Operation Highland ×1

Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗

T1556Modify Authentication Process×6

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.

Akira ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 +7 more

Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-10/meta-discloses-20-225-instagram-account-takeovers-via-an-ai · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain +1 more · ATT&CK page ↗

T1556.003Modify Authentication Process: Pluggable Authentication Modules×1

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.

Velvet Ant Operation Highland ×1

Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗

T1556.006Modify Authentication Process: Multi-Factor Authentication×6

Privilege Escalation TA0004

T1053Scheduled Task/Job×2

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.

Security-tool impersonation TDS campaign ×1 The Gentlemen ×1 TrapDoor ×1

Evidence: 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.003Scheduled Task/Job: Cron×2

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code. The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

TrapDoor ×1

Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-05-26/trapdoor-cross-ecosystem-supply-chain-campaign-validates-sto · ATT&CK page ↗

T1053.005Scheduled Task/Job: Scheduled Task×10

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Security-tool impersonation TDS campaign ×2 Avalon ×1 CrySome RAT ×1 FrostyNeighbor March–May 2026 campaign ×1 INC Ransom ×1 Kimsuky ×1 Operation XENOFISCAL ×1 ScarCruft ×1 +2 more

Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-12/the-gentlemen-ransomware-478-claimed-leak-site-victims-self +5 more · ATT&CK page ↗

T1055Process Injection×5

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

CL-STA-1132 ×2 DAEMON Tools supply-chain compromise ×1 OceanLotus ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 RemotePE ×1

Evidence: 2026-06-12/eset-oceanlotus-apt32-compromises-a-stock-trading-platform-s · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗

T1055.002Process Injection: Portable Executable Injection×1

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

RemotePE ×1

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1055.012Process Injection: Process Hollowing×2

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

DesckVB RAT malspam ×1 Trojanised ScreenConnect AsyncRAT campaign ×1

Evidence: 2026-07-02/kaspersky-mdr-seo-poisoned-fake-installer-sites-trojanize-sc · 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗

T1068Exploitation for Privilege Escalation×25

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

Booking.com-fed hotel phishing (CH) ×5 Nightmare Eclipse ×3 Nightmare Eclipse Windows zero-day series ×3 DragonForce ×2 Embargo ×2 UAT-8616 ×2 AMD-SB-7052 ×1 AMD-SB-7052 — Zen 2 µop-cache corruption / SoC isolation LPE (CVSS 7.3 CVSS 4.0) ×1 +36 more

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-09/cve-2026-48614-plesk-xml-api-code-injection-root-lpe · 2026-07-08/ghostlock-cve-2026-43499-linux-kernel-rtmutex-uaf-lpe · 2026-06-28/cve-2026-58053-gitea-act-runner-docker-backend-container-har · 2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245 +20 more · ATT&CK page ↗

T1078Valid Accounts×45

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗

T1078.001Valid Accounts: Default Accounts×4

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more

Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗

T1078.002Valid Accounts: Domain Accounts×1

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.

Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1

Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗

T1078.004Valid Accounts: Cloud Accounts×26

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more

Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗

T1098Account Manipulation×5
T1098.001Account Manipulation: Additional Cloud Credentials×1

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

ARToken ×1

Evidence: 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · ATT&CK page ↗

T1098.004Account Manipulation: SSH Authorized Keys×1

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions, macOS, and ESXi hypervisors commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code> (or, on ESXi, `/etc/ssh/keys-<username>/authorized_keys`). Users may edit the system’s SSH config file to modify the directives `PubkeyAuthentication` and `RSAAuthentication` to the value `yes` to ensure public key and RSA authentication are enabled, as well as modify the directive `PermitRootLogin` to the value `yes` to enable root authentication via SSH. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 UAT-8616 ×1

Evidence: 2026-05-15/cisco-catalyst-sd-wan-cve-2026-20182-authentication-bypass-a · ATT&CK page ↗

T1098.005Account Manipulation: Device Registration×4
T1134Access Token Manipulation×1

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

Booking.com-fed hotel phishing (CH) ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1

Evidence: 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗

T1134.003Access Token Manipulation: Make and Impersonate Token×1

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.

Umbrij ×1

Evidence: 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · ATT&CK page ↗

T1134.004Access Token Manipulation: Parent PID Spoofing×1

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.

StrikeShark ×1

Evidence: 2026-06-27/kaspersky-great-strikeshark-loader-deploys-cobalt-strike-via · ATT&CK page ↗

T1543Create or Modify System Process×3

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. On macOS, launchd processes known as Launch Daemon and Launch Agent are run to finish system initialization and load user specific parameters.

RemotePE ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1

Evidence: 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗

T1543.001Create or Modify System Process: Launch Agent×3

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>. Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent's name, executable location, and execution time. Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

JINX-0164 ×1 Living Off the Pipeline ×1 macOS.Gaslight ×1

Evidence: 2026-06-26/macos-gaslight-a-dprk-aligned-rust-backdoor-that-targets-the · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-29/wiz-cirt-names-jinx-0164-linkedin-recruiter-lures-audiofix-m · ATT&CK page ↗

T1543.002Create or Modify System Process: Systemd Service×3

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources. Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.

Apex2 ×1 c2c / meow ×1 ssh-keysign-pwn — 9-year ptrace race in Linux kernel __ptrace_may_access() reaches root + SSH host-key exfiltration; four public Qualys exploits on default major distros ×1

Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-23/cve-2026-46333-ssh-keysign-pwn-a-9-year-ptrace-race-in-the-l · ATT&CK page ↗

T1543.003Create or Modify System Process: Windows Service×2

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions. Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

RemotePE ×1 The Gentlemen ×1

Evidence: 2026-06-19/eset-the-gentlemen-raas-gang-centrally-builds-and-maintains · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1546Event Triggered Execution×1

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events.

Megalodon ×1

Evidence: 2026-05-23/megalodon-mass-poisons-5-561-github-repos-in-a-6-hour-window · ATT&CK page ↗

T1547Boot or Logon Autostart Execution×4

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon. These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

GTIG Europe Data Leak Landscape 2025 ×1 Living Off the Pipeline ×1 PamStealer ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1

Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-05-16/sentinelone-living-off-the-pipeline-ci-cd-subversion-taxonom · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×6

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×2 FrostyNeighbor March–May 2026 campaign ×1 GTIG Europe Data Leak Landscape 2025 ×1 Operation XENOFISCAL ×1 Secret Blizzard ×1

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-06-24/postcss-npm-typosquats-deliver-a-nuitka-compiled-python-rat · 2026-06-18/mastra-npm-supply-chain-compromise-easy-day-js · 2026-06-10/year-old-winrar-flaw-cve-2025-8088-still-fuels-ukraine-intru · 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury +1 more · ATT&CK page ↗

T1547.013Boot or Logon Autostart Execution: XDG Autostart Entries×1

Adversaries may add or modify XDG Autostart Entries to execute malicious programs or commands when a user’s desktop environment is loaded at login. XDG Autostart entries are available for any XDG-compliant Linux system. XDG Autostart entries use Desktop Entry files (`.desktop`) to configure the user’s desktop environment upon user login. These configuration files determine what applications launch upon user login, define associated applications to open specific file types, and define applications used to open removable media.

Miasma ×1

Evidence: 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 · ATT&CK page ↗

T1548Abuse Elevation Control Mechanism×3
T1548.001Abuse Elevation Control Mechanism: Setuid and Setgid×1

An adversary may abuse configurations where an application has the setuid or setgid bits set in order to get code running in a different (and possibly more privileged) user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application binary, the application will run with the privileges of the owning user or group respectively. Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them may not have the specific required privileges.

Booking.com-fed hotel phishing (CH) ×1 Copy Fail — Linux kernel algif_aead local privilege escalation (ITW, KEV) ×1 Dirty Frag — Linux kernel RxRPC page-cache write primitive, LPE chain (ITW, patch pending) ×1 Dirty Frag — Linux kernel xfrm-ESP page-cache write primitive, LPE (ITW, PoC public) ×1 Embargo ×1

Evidence: 2026-05-04/cve-2026-31431-copy-fail-cve-2026-43284-cve-2026-43500-dirty · ATT&CK page ↗

T1548.002Abuse Elevation Control Mechanism: Bypass User Account Control×1

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.

CrySome RAT ×1

Evidence: 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · ATT&CK page ↗

T1548.003Abuse Elevation Control Mechanism: Sudo and Sudo Caching×1

Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Apex2 ×1 c2c / meow ×1

Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · ATT&CK page ↗

T1611Escape to Host×10

Stealth TA0005

T1006Direct Volume Access×1

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools.

Booking.com-fed hotel phishing (CH) ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1

Evidence: 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗

T1014Rootkit×1

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.

Software-exposed BYOVD hardware-gate bypass ×1

Evidence: 2026-05-24/atos-trc-hardware-gated-windows-drivers-can-be-made-byovd-ex · ATT&CK page ↗

T1027Obfuscated Files or Information×8
T1027.003Obfuscated Files or Information: Steganography×1

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

Evidence: 2026-06-07/sans-isc-wetransfer-delivered-javascript-stages-a-steganogra · ATT&CK page ↗

T1027.004Obfuscated Files or Information: Compile After Delivery×1

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as ilasm.exe, csc.exe, or GCC/MinGW.

Evidence: 2026-06-27/microsoft-photo-zip-phishing-laundered-through-calendly-drop · ATT&CK page ↗

T1027.005Obfuscated Files or Information: Indicator Removal from Tools×1

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

Evidence: 2026-06-16/wordpress-supply-chain-compromise-via-awesome-motive-s-cdn-b · ATT&CK page ↗

T1036Masquerading×9

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

AryStinger ×1 Bitter ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DAEMON Tools supply-chain compromise ×1 JDownloader official site compromised ×1 Kimsuky ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 LLMShare ×1 +5 more

Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-06-27/sans-isc-linux-process-name-masquerading-via-prctl-pr-set-na · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-05-30/llmshare-malvertising-campaign-attackers-embed-fake-outage-p +4 more · ATT&CK page ↗

T1036.004Masquerading: Masquerade Task or Service×1

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

DAEMON Tools supply-chain compromise ×1

Evidence: 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · ATT&CK page ↗

T1036.005Masquerading: Match Legitimate Resource Name or Location×10
T1055Process Injection×5

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

CL-STA-1132 ×2 DAEMON Tools supply-chain compromise ×1 OceanLotus ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 RemotePE ×1

Evidence: 2026-06-12/eset-oceanlotus-apt32-compromises-a-stock-trading-platform-s · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗

T1055.002Process Injection: Portable Executable Injection×1

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

RemotePE ×1

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1055.012Process Injection: Process Hollowing×2

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

DesckVB RAT malspam ×1 Trojanised ScreenConnect AsyncRAT campaign ×1

Evidence: 2026-07-02/kaspersky-mdr-seo-poisoned-fake-installer-sites-trojanize-sc · 2026-06-04/desckvb-rat-malspam-launders-through-google-doubleclick-and · ATT&CK page ↗

T1070Indicator Removal×9
T1070.003Indicator Removal: Clear Command History×1

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.

Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 GTIG Europe Data Leak Landscape 2025 ×1

Evidence: 2026-06-26/cisco-catalyst-sd-wan-manager-cve-2026-20245 · ATT&CK page ↗

T1070.004Indicator Removal: File Deletion×2

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

RemotePE ×1 SmartApeSG ClickFix campaign ×1

Evidence: 2026-06-01/smartapesg-clickfix-stages-an-unnamed-rat-that-pivots-to-a-w · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1070.006Indicator Removal: Timestomp×1

Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder and blend malicious files with legitimate files.

OP-512 ×1

Evidence: 2026-06-06/op-512-china-linked-cluster-runs-a-cryptographically-unique · ATT&CK page ↗

T1078Valid Accounts×45

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

Booking.com-fed hotel phishing (CH) ×9 Akira ×3 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×3 FortiBleed ×2 Ivanti EPMM on-prem admin API improper input validation → RCE (CVSS 7.2, ITW, KEV deadline 2026-05-10) ×2 Ivanti EPMM on-prem improper certificate validation → pre-auth Sentry impersonation (CVSS 9.1, ITW, KEV chain) ×2 Qilin ×2 ShinyHunters ×2 +52 more

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-07-10/cert-lv-lvm-olpha-ransomware-eu-nato-shared-threat · 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce +40 more · ATT&CK page ↗

T1078.001Valid Accounts: Default Accounts×4

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS, the root user account in ESXi, and the default service account in Kubernetes.

Booking.com-fed hotel phishing (CH) ×2 Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1 Gitea Docker reverse-proxy trust-all auth bypass (X-WEBAUTH-USER impersonation) ×1 SEPPmail appliance management — information disclosure (CVSS 6.9) ×1 SEPPmail appliance management — LFI and arbitrary file deletion (CVSS 8.8) ×1 SEPPmail GINAv2 — insecure deserialisation via session cookie → RCE (CVSS 9.2) ×1 SEPPmail GINAv2 — missing authentication in admin REST API (CVSS 9.3) ×1 +2 more

Evidence: 2026-06-23/cve-2026-20896-gitea-docker-trust-all-reverse-proxy-default · 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · 2026-05-04/cve-2026-44128-et-al-seppmail-secure-email-gateway-six-cve-c · ATT&CK page ↗

T1078.002Valid Accounts: Domain Accounts×1

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.

Akira ×1 SonicWall SonicOS improper access control (mgmt + SSLVPN, Gen 5/6/7) — Akira/Fog ransomware on-ramp ×1

Evidence: 2026-06-23/sonicwall-cve-2024-40766-why-patched-firewalls-keep-falling · ATT&CK page ↗

T1078.004Valid Accounts: Cloud Accounts×26

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. Cloud Accounts can exist solely in the cloud; alternatively, they may be hybrid-joined between on-premises systems and the cloud through syncing or federation with other identity sources such as Windows Active Directory.

ShinyHunters ×4 Mini Shai-Hulud ×3 TeamPCP ×3 Booking.com-fed hotel phishing (CH) ×2 Entra Agent ID OBO abuse ×2 'Ghost in the Database' ADFS key recovery ×1 888 ×1 Cisco Catalyst SD-WAN Manager command-injection to root — Mandiant confirms pre-disclosure zero-day exploitation; patched (chains CVE-2026-20127/-20182) ×1 +27 more

Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-29/gogs-cve-2026-52806-moves-from-no-observed-exploitation-to-a · 2026-06-28/keycloak-jwt-algorithm-confusion-cve-2026-11800-forging-fede +21 more · ATT&CK page ↗

T1127.001Trusted Developer Utilities Proxy Execution: MSBuild×1

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.

Avalon ×1

Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · ATT&CK page ↗

T1134Access Token Manipulation×1

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

Booking.com-fed hotel phishing (CH) ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1

Evidence: 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗

T1134.003Access Token Manipulation: Make and Impersonate Token×1

Adversaries may make new tokens and impersonate users to escalate privileges and bypass access controls. For example, if an adversary has a username and password but the user is not logged onto the system the adversary can then create a logon session for the user using the `LogonUser` function. The function will return a copy of the new session's access token and the adversary can use `SetThreadToken` to assign the token to a thread.

Umbrij ×1

Evidence: 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · ATT&CK page ↗

T1134.004Access Token Manipulation: Parent PID Spoofing×1

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use. This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.

StrikeShark ×1

Evidence: 2026-06-27/kaspersky-great-strikeshark-loader-deploys-cobalt-strike-via · ATT&CK page ↗

T1140Deobfuscate/Decode Files or Information×2

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

Megalodon ×1 Packagist Laravel-Lang supply-chain wave ×1 RemotePE ×1 TeamPCP ×1

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-24/packagist-supply-chain-wave-laravel-lang-autoloader-backdoor · ATT&CK page ↗

T1197BITS Jobs×1

Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through Component Object Model (COM). BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗

T1202Indirect Command Execution×1

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (`pcalua.exe`), components of the Windows Subsystem for Linux (WSL), `Scriptrunner.exe`, as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. Adversaries may also abuse the `ssh.exe` binary to execute malicious commands via the `ProxyCommand` and `LocalCommand` options, which can be invoked via the `-o` flag or by modifying the SSH config file.

Evidence: 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · ATT&CK page ↗

T1218System Binary Proxy Execution×1

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, or otherwise trusted, binaries. Binaries used in this technique are often Microsoft-signed files, indicating that they have been either downloaded from Microsoft or are already native in the operating system. Binaries signed with trusted digital certificates can typically execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files or commands.

Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1

Evidence: 2026-05-29/forticlient-ems-cve-2026-35616-ekz-infostealer-kill-chain · ATT&CK page ↗

T1218.005System Binary Proxy Execution: Mshta×1

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Operation XENOFISCAL ×1

Evidence: 2026-06-03/operation-xenofiscal-sidecopy-apt36-hits-provincial-treasury · ATT&CK page ↗

T1480Execution Guardrails×3

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.

Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 GTIG Europe Data Leak Landscape 2025 ×1 Living Off the Pipeline ×1 RemotePE ×1 Secret Blizzard ×1 WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01) ×1

Evidence: 2026-06-27/turla-s-stockstay-a-four-component-net-backdoor-for-diplomat · 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

T1480.001Execution Guardrails: Environmental Keying×1

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.

RemotePE ×1

Evidence: 2026-05-26/lazarus-remotepe-a-three-stage-memory-only-rat-that-unhooks · ATT&CK page ↗

T1497.001Virtualization/Sandbox Evasion: System Checks×1

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

PamStealer ×1

Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · ATT&CK page ↗

T1542Pre-OS Boot×1

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.

Booking.com-fed hotel phishing (CH) ×1 GreatXML ×1 Nightmare Eclipse ×1 Nightmare Eclipse Windows zero-day series ×1 RoguePlanet ×1

Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · ATT&CK page ↗

T1542.001Pre-OS Boot: System Firmware×2

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer.

Booking.com-fed hotel phishing (CH) ×2 Nightmare Eclipse ×2 Nightmare Eclipse Windows zero-day series ×2 GreatXML ×1 RoguePlanet ×1

Evidence: 2026-06-12/greatxml-unpatched-bitlocker-bypass-via-crafted-xml-on-the-r · 2026-05-15/windows-bitlocker-yellowkey-and-ctfmon-greenplasma-zero-days · ATT&CK page ↗

T1542.003Pre-OS Boot: Bootkit×1

Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the boot sectors of a hard drive, allowing malicious code to execute before a computer's operating system has loaded. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

usbliter8 ×1

Evidence: 2026-06-20/usbliter8-a-permanent-securerom-boot-chain-exploit-for-apple · ATT&CK page ↗

T1564Hide Artifacts×1

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.

Edgecution ×1

Evidence: 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗

T1564.003Hide Artifacts: Hidden Window×1

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

Edgecution ×1

Evidence: 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗

T1574Hijack Execution Flow×5

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

Akira ×1 Apex2 ×1 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cybercrime-underground AI adoption ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Operation Dragon Weave ×1 +3 more

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · 2026-05-22/cve-2026-34926-trend-micro-apex-one-on-premise-post-auth-dir · 2026-05-10/sophos-beagle-backdoor-distributed-via-fake-claude-ai-site-u · ATT&CK page ↗

T1574.001Hijack Execution Flow: DLL×15

Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate privileges, and evade defenses. DLLs are libraries that contain code and data that can be simultaneously utilized by multiple programs. While DLLs are not malicious by nature, they can be abused through mechanisms such as side-loading, hijacking search order, and phantom DLL hijacking.

Akira ×2 Calypso telco espionage campaign ×2 Stock-exchange mailbox espionage ×2 Beagle ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cavern ×1 Cavern Manticore ×1 Cybercrime-underground AI adoption ×1 +13 more

Evidence: 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-07-01/kaspersky-great-toddycat-s-umbrij-automates-gmail-workspace · 2026-06-30/mustang-panda-abuses-zoho-workdrive-as-a-dead-drop-c2-channe · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware +10 more · ATT&CK page ↗

T1574.008Hijack Execution Flow: Path Interception by Search Order Hijacking×1

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Screening Serpens ×1 Security-tool impersonation TDS campaign ×1

Evidence: 2026-05-27/nimbus-manticore-unc1549-screening-serpens-check-point-detai · ATT&CK page ↗

T1574.014Hijack Execution Flow: AppDomainManager×2

Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` loads assemblies. The .NET framework uses the `AppDomainManager` class to create and manage one or more isolated runtime environments (called application domains) inside a process to host the execution of .NET applications. Assemblies (`.exe` or `.dll` binaries compiled to run as .NET code) may be loaded into an application domain as executable code.

Screening Serpens ×1

Evidence: 2026-06-28/unit-42-chinese-speaking-cluster-cl-sta-1062-deploys-the-new · 2026-05-23/unit-42-iran-s-screening-serpens-unc1549-smoke-sandstorm-nim · ATT&CK page ↗

T1620Reflective Code Loading×3

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Bitter ×1 Cavern ×1 Cavern Manticore ×1 MuddyWater ×1 OP-512 ×1

Evidence: 2026-07-10/e-government-portal-watering-hole-cms-implant-espionage · 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-06-06/op-512-china-linked-cluster-runs-a-cryptographically-unique · ATT&CK page ↗

T1684.001Social Engineering: Impersonation×2

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf. For example, adversaries may communicate with victims (via Phishing for Information, Phishing, or Internal Spearphishing) while impersonating a known sender such as an executive, colleague, or third-party vendor. Established trust can then be leveraged to accomplish an adversary’s ultimate goals, possibly against multiple victims.

Edgecution ×1 Odido (Netherlands telecom) ShinyHunters breach ×1 ShinyHunters ×1

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-06-25/edgecution-abusing-the-chrome-edge-native-messaging-api-as-a · ATT&CK page ↗

Defense Impairment TA0112

T1112Modify Registry×2
T1222File and Directory Permissions Modification×1

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

AWS Language Servers / Amazon Q Developer symlink trust-boundary write outside workspace (GhostApproval, CWE-61); fixed language-servers 1.69.0 / @aws/lsp-codewhisperer 0.0.117 ×1 Cursor IDE sandbox escape via symlink + failed path canonicalization (GhostApproval); fixed Cursor 3.0 ×1 GhostApproval ×1

Evidence: 2026-07-09/ghostapproval-ai-coding-assistant-symlink-trust-boundary · ATT&CK page ↗

T1553Subvert Trust Controls×1

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Booking.com-fed hotel phishing (CH) ×1 CERT-FR agentic-AI risk report (CERTFR-2026-ACT-016) ×1 GTIG AI Threat Tracker (May 2026) ×1 GTIG Europe Data Leak Landscape 2025 ×1 TeamPCP ×1

Evidence: 2026-05-12/gtig-ai-threat-tracker-may-2026-first-confirmed-ai-generated · ATT&CK page ↗

T1553.002Subvert Trust Controls: Code Signing×3

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature, this activity will result in a valid signature.

Factory-v3 ×1 Fox Tempest ×1 Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-06-09/microsoft-threat-intelligence-ai-brand-impersonation-drives · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗

T1556Modify Authentication Process×6

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.

Akira ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 +7 more

Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-10/meta-discloses-20-225-instagram-account-takeovers-via-an-ai · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain +1 more · ATT&CK page ↗

T1556.003Modify Authentication Process: Pluggable Authentication Modules×1

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.

Velvet Ant Operation Highland ×1

Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗

T1556.006Modify Authentication Process: Multi-Factor Authentication×6
T1578Modify Cloud Compute Infrastructure×2

An adversary may attempt to modify a cloud account's compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Cloud-bucket hijacking via namespace reuse ×1

Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-06-24/unit-42-cloud-bucket-hijacking-via-global-namespace-reuse-si · ATT&CK page ↗

T1599.001Network Boundary Bridging: Network Address Translation Traversal×1

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Arista EOS tunnel-decapsulation logic flaw (CWE-1023) bypasses VXLAN segmentation; CISA KEV, exploited ×1

Evidence: 2026-06-10/cve-2026-7473-arista-eos-tunnel-decapsulation-logic-flaw-byp · ATT&CK page ↗

T1685Disable or Modify Tools×11

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

AryStinger ×1 Avalon ×1 Cisco Catalyst SD-WAN Controller/Manager pre-auth authentication bypass (CVSS 10.0, actively exploited by UAT-8616) ×1 CrySome RAT ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DesckVB RAT malspam ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 +11 more

Evidence: 2026-07-08/unit42-factory-v3-loader-vidar-xmrig-sandbox-evasion · 2026-07-08/crysome-rat-freight-phishing-amsi-uac-defender-chain · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch +6 more · ATT&CK page ↗

T1685.002Disable or Modify Tools: Disable or Modify Cloud Log×1

An adversary may disable or modify cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an adversary has sufficient permissions, they can disable or modify logging to avoid detection of their activities.

Evidence: 2026-06-10/unit-42-catalogues-cloud-logging-defense-evasion-across-aws · ATT&CK page ↗

T1685.006Disable or Modify Tools: Clear Linux or Mac System Logs×3
T1686Disable or Modify System Firewall×1

Adversaries may disable or modify host-based or network firewalls to impair defensive mechanisms and enable further action. Once an adversary has gathered sufficient privileges, they can tamper with firewall services, policies, or rule sets to remove restrictions on inbound or outbound traffic. For example, this may include turning off firewall profiles, altering existing rules to permit previously blocked ports or protocols, or adding new rules that create covert communication paths (e.g., adding a new firewall rule for a well-known protocol (such as RDP) using a non-traditional and potentially less securitized port.

AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1

Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · ATT&CK page ↗

T1686.001Disable or Modify System Firewall: Cloud Firewall×1

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources.

Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1

Evidence: 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · ATT&CK page ↗

Credential Access TA0006

T1003OS Credential Dumping×4
T1003.001OS Credential Dumping: LSASS Memory×3

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct Lateral Movement using Use Alternate Authentication Material.

Stock-exchange mailbox espionage ×1 Webworm ×1

Evidence: 2026-06-09/unit-42-microsoft-teams-external-chat-now-a-primary-phishing · 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · 2026-05-21/webworm-china-aligned-shifts-to-eu-government-targets-echocr · ATT&CK page ↗

T1003.002OS Credential Dumping: Security Account Manager×1

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

Living Off the Pipeline ×1 MuddyWater ×1 Stock-exchange mailbox espionage ×1

Evidence: 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · ATT&CK page ↗

T1003.003OS Credential Dumping: NTDS×1

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.

Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · ATT&CK page ↗

T1003.007OS Credential Dumping: Proc Filesystem×1

Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process’s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process’s virtual address space.

Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗

T1040Network Sniffing×1

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Squidbleed — 29-year-old heap over-read in Squid FTP gateway leaks cross-user HTTP credentials ×1

Evidence: 2026-06-23/squidbleed-a-29-year-old-heap-over-read-in-squid-s-ftp-gatew · ATT&CK page ↗

T1056Input Capture×1

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

BadBlocker ×1

Evidence: 2026-06-28/island-badblocker-an-11m-user-chrome-ad-blocker-is-one-serve · ATT&CK page ↗

T1056.001Input Capture: Keylogging×1

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

ScarCruft ×1

Evidence: 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · ATT&CK page ↗

T1110Brute Force×4

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Apex2 ×1 c2c / meow ×1 FortiBleed ×1 Kairos ×1 Mini Shai-Hulud ×1 TeamPCP ×1 Verizon 2026 DBIR ×1

Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-06-22/fortibleed-russian-speaking-operator-cracking-86-644-fortiga · 2026-05-21/verizon-2026-dbir-vulnerability-exploitation-overtakes-crede · ATT&CK page ↗

T1110.002Brute Force: Password Cracking×1

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. OS Credential Dumping can be used to obtain password hashes, this may only get an adversary so far when Pass the Hash is not an option. Further, adversaries may leverage Data from Configuration Repository in order to obtain hashed credentials for network devices.

Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1

Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · ATT&CK page ↗

T1110.003Brute Force: Password Spraying×1

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords.

LSHIY Azure CLI ROPC token-spray ×1 Railway device-code phishing ×1

Evidence: 2026-07-10/m365-conditional-access-gaps-railway-lshiy-campaigns · ATT&CK page ↗

T1111Multi-Factor Authentication Interception×3

Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.

GTIG Europe Data Leak Landscape 2025 ×1 Security-tool impersonation TDS campaign ×1

Evidence: 2026-06-10/check-point-a-tds-gated-ecosystem-impersonates-security-tool · 2026-05-26/google-s-threat-intel-group-maps-a-chinese-language-phaas-ec · 2026-05-23/fbi-psa260521-kali365-oauth-device-code-phaas-bypasses-m365 · ATT&CK page ↗

T1187Forced Authentication×2
T1212Exploitation for Credential Access×2
T1528Steal Application Access Token×10
T1539Steal Web Session Cookie×2

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

PAN-OS GlobalProtect pre-auth authentication bypass ×1

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗

T1552Unsecured Credentials×16
T1552.001Unsecured Credentials: Credentials In Files×24

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

TeamPCP ×8 Booking.com-fed hotel phishing (CH) ×4 Mini Shai-Hulud ×3 PCPJack ×2 888 ×1 actions-cool/issues-helper compromise ×1 Argo CD repo-server unauthenticated RCE ×1 Avalon ×1 +24 more

Evidence: 2026-07-10/nextcloud-gmbh-elasticsearch-exposure-msb-nrw · 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-07-02/argo-cd-repo-server-unauthenticated-rce-no-cve-unpatched-18 · 2026-06-23/shapedplugin-build-pipeline-compromised-three-pro-wordpress +19 more · ATT&CK page ↗

T1552.004Unsecured Credentials: Private Keys×5
T1552.005Unsecured Credentials: Cloud Instance Metadata API×1
T1555Credentials from Password Stores×13

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications and services that store passwords to make them easier for users to manage and maintain, such as password managers and cloud secrets vaults. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

Avalon ×1 Booking.com-fed hotel phishing (CH) ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Fortinet FortiClient EMS 7.4.5/7.4.6 — improper-access-control on X-SSL-CLIENT-VERIFY header lets unauth attacker spoof mTLS state and reach management API; ITW exploited to push EKZ Infostealer per Arctic Wolf 2026-05-27 ×1 JINX-0164 ×1 Job-seeker targeting wave (CH) ×1 Living Off the Pipeline ×1 +3 more

Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-24/unit-42-malicious-skills-on-the-openclaw-clawhub-agent-marke · 2026-06-24/macos-clickfix-evolves-hdiutil-attach-nobrowse-mounts-the-ma · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-10/shai-hulud-miasma-supply-chain-worm-jumps-to-pypi-as-hades-3 +8 more · ATT&CK page ↗

T1555.001Credentials from Password Stores: Keychain×2

Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple’s iCloud service.

PamStealer ×1

Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · 2026-05-10/clickfix-campaign-expands-to-macos-macsync-shub-stealer-and · ATT&CK page ↗

T1555.003Credentials from Password Stores: Credentials from Web Browsers×8
T1556Modify Authentication Process×6

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using Valid Accounts.

Akira ×1 Cisco ISE / ISE-PIC — authenticated path-traversal OS command execution to root (CVSS 9.1) ×1 Cisco ISE / ISE-PIC — unauthenticated read of sensitive data incl. hashed admin credentials (CVSS 7.5) ×1 GTIG Europe Data Leak Landscape 2025 ×1 Keycloak admin evaluate-scopes endpoint cross-role PII leakage bypassing user-view permissions (Keycloak 26.6.2) ×1 Keycloak Authorization Services Protection API cross-realm IDOR allowing realm-A authenticated attacker to access realm-B resources (Keycloak 26.6.2) ×1 Keycloak execute-actions token replay enabling unauthorised WebAuthn / FIDO2 credential enrollment on victim account (Keycloak 26.6.2) ×1 Keycloak OIDC login flow session fixation enabling account takeover (Keycloak 26.6.2; BSI WID-SEC-2026-1612 HIGH) ×1 +7 more

Evidence: 2026-06-19/cisco-ise-cve-2026-20181-cve-2026-20190-an-unauthenticated-c · 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · 2026-06-10/meta-discloses-20-225-instagram-account-takeovers-via-an-ai · 2026-05-21/keycloak-26-6-2-16-cves-including-oidc-session-fixation-cve · 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain +1 more · ATT&CK page ↗

T1556.003Modify Authentication Process: Pluggable Authentication Modules×1

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.

Velvet Ant Operation Highland ×1

Evidence: 2026-06-13/velvet-ant-operation-highland-subverting-the-linux-authentic · ATT&CK page ↗

T1556.006Modify Authentication Process: Multi-Factor Authentication×6
T1557Adversary-in-the-Middle×4

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

GTIG Europe Data Leak Landscape 2025 ×1 ShinyHunters ×1 UNC6671 ×1 Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1

Evidence: 2026-06-14/sekoia-apt28-gru-unit-26165-tradecraft-shifts-to-llm-generat · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-16/gtig-unc6671-blackfile-vishing-aitm-rogue-mfa-programmatic-s · 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗

T1557.001Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay×1

By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1

Evidence: 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗

T1558.003Steal or Forge Kerberos Tickets: Kerberoasting×2

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.

Akira ×1 Akira kill-chain reconstruction (SANS ISC) ×1

Evidence: 2026-05-28/sans-isc-akira-ransomware-kill-chain-reconstructed-entirely · 2026-05-11/sophos-2026-state-of-identity-security-71-of-orgs-breached-v · ATT&CK page ↗

T1606Forge Web Credentials×1

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Szafir SDK (KIR) improper certificate verification / auth bypass — Polish qualified e-signature SDK; fixed v463 ×1

Evidence: 2026-05-26/cve-2026-9058-szafir-sdk-kir-signature-verification-routine · ATT&CK page ↗

T1606.002Forge Web Credentials: SAML Tokens×2

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.

'Ghost in the Database' ADFS key recovery ×1 Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-07-09/mandiant-adfs-machine-dpapi-golden-saml-key-recovery · 2026-05-13/mini-shai-hulud-s-github-actions-pwn-request-oidc-token-thef · ATT&CK page ↗

T1621Multi-Factor Authentication Request Generation×2

Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to accounts by generating MFA requests sent to users.

Evidence: 2026-06-24/swiss-post-cybersecurity-publishes-its-inaugural-swiss-threa · 2026-06-23/two-scattered-spider-members-plead-guilty-over-the-2024-tran · ATT&CK page ↗

T1649Steal or Forge Authentication Certificates×1

Adversaries may steal or forge certificates used for authentication to access remote systems or resources. Digital certificates are often used to sign and encrypt messages and/or files. Certificates are also used as authentication material. For example, Entra ID device certificates and Active Directory Certificate Services (AD CS) certificates bind to an identity and can be used as credentials for domain accounts.

MuddyWater ×1

Evidence: 2026-05-08/muddywater-iran-mois-deploys-chaos-ransomware-as-false-flag · ATT&CK page ↗

Discovery TA0007

T1018Remote System Discovery×2

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping, <code>net view</code> using Net, or, on ESXi servers, `esxcli network diag ping`.

CL-STA-1132 ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Stock-exchange mailbox espionage ×1

Evidence: 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗

T1040Network Sniffing×1

Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Squidbleed — 29-year-old heap over-read in Squid FTP gateway leaks cross-user HTTP credentials ×1

Evidence: 2026-06-23/squidbleed-a-29-year-old-heap-over-read-in-squid-s-ftp-gatew · ATT&CK page ↗

T1046Network Service Discovery×4
T1082System Information Discovery×4

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

FrostyNeighbor March–May 2026 campaign ×1 Linux kernel cgroup v1 release_agent container escape (missing CAP_SYS_ADMIN check); CISA KEV 2026-06-02 ×1 Mini Shai-Hulud ×1 TrapDoor ×1

Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · 2026-06-03/linux-cgroups-v1-release-agent-container-escape-cve-2022-049 · 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · 2026-05-15/frostyneighbor-ghostwriter-unc1151-belarus-state-aligned-ese · ATT&CK page ↗

T1083File and Directory Discovery×7
T1087Account Discovery×4

Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts).

Living Off the Pipeline ×1 MuddyWater ×1 Stock-exchange mailbox espionage ×1

Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-23/unit-42-roadtools-operationalised-by-midnight-blizzard-curio · ATT&CK page ↗

T1087.004Account Discovery: Cloud Account×2

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

Evidence: 2026-06-23/elastic-shows-how-the-newly-ga-azure-ad-graph-activity-logs · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗

T1135Network Share Discovery×1

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Silent Ransom Group physical USB intrusions ×1

Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · ATT&CK page ↗

T1482Domain Trust Discovery×1

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain. Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct SID-History Injection, Pass the Ticket, and Kerberoasting. Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP. The Windows utility Nltest is known to be used by adversaries to enumerate domain trusts.

Living Off the Pipeline ×1 MuddyWater ×1 Stock-exchange mailbox espionage ×1

Evidence: 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · ATT&CK page ↗

T1497.001Virtualization/Sandbox Evasion: System Checks×1

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

PamStealer ×1

Evidence: 2026-07-04/pamstealer-macos-infostealer-pam-api-password-validation · ATT&CK page ↗

T1518.001Software Discovery: Security Software Discovery×1

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as cloud monitoring agents and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗

T1526Cloud Service Discovery×1

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.

Evidence: 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗

T1580Cloud Infrastructure Discovery×1

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · ATT&CK page ↗

T1614System Location Discovery×1

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Mini Shai-Hulud ×1 TrapDoor ×1

Evidence: 2026-06-01/two-concurrent-npm-dependency-confusion-campaigns-target-int · ATT&CK page ↗

T1619Cloud Storage Object Discovery×1

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.

Evidence: 2026-07-09/sygnia-ai-orchestrated-aws-cloud-intrusion-72h · ATT&CK page ↗

Lateral Movement TA0008

T1021Remote Services×11
T1021.001Remote Services: Remote Desktop Protocol×6
T1021.002Remote Services: SMB/Windows Admin Shares×3
T1021.003Remote Services: Distributed Component Object Model×1

Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

Evidence: 2026-06-28/cisco-talos-a-field-guide-to-windows-com-abuse-itaskservice · ATT&CK page ↗

T1021.004Remote Services: SSH×6
T1021.007Remote Services: Cloud Services×1

Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.

Storm-2949 ×1 Storm-2949 SSPR-to-Key-Vault kill chain ×1

Evidence: 2026-05-20/storm-2949-sspr-to-key-vault-azure-kill-chain · ATT&CK page ↗

T1072Software Deployment Tools×3
T1091Replication Through Removable Media×1

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.

Gamaredon ×1

Evidence: 2026-06-01/gamaredon-gammaphish-gammaworm-ntfs-ads-usb-gammasteel-s3-ex · ATT&CK page ↗

T1210Exploitation of Remote Services×3
T1534Internal Spearphishing×1

After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization. Internal spearphishing is multi-staged campaign where a legitimate account is initially compromised either by controlling the user's device or by compromising the account credentials of the user. Adversaries may then attempt to take advantage of the trusted internal account to increase the likelihood of tricking more victims into falling for phish attempts, often incorporating Impersonation.

Booking.com-fed hotel phishing (CH) ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1

Evidence: 2026-05-16/microsoft-exchange-cve-2026-42897-active-exploitation-withou · ATT&CK page ↗

T1550Use Alternate Authentication Material×4
T1550.001Use Alternate Authentication Material: Application Access Token×11
T1550.002Use Alternate Authentication Material: Pass the Hash×1

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

Evidence: 2026-06-09/unit-42-microsoft-teams-external-chat-now-a-primary-phishing · ATT&CK page ↗

T1550.004Use Alternate Authentication Material: Web Session Cookie×1

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.

Evidence: 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · ATT&CK page ↗

T1570Lateral Tool Transfer×3

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation.

CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Mini Shai-Hulud ×1 STAC3725 CitrixBleed 2-to-DragonForce IAB chain ×1 TeamPCP ×1

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-06-05/university-of-toronto-vector-institute-a-self-propagating-wo · 2026-05-21/teampcp-mini-shai-hulud-campaign-github-itself-breached-3-80 · ATT&CK page ↗

Collection TA0009

T1005Data from Local System×4
T1025Data from Removable Media×1

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information.

Gamaredon ×1

Evidence: 2026-06-01/gamaredon-gammaphish-gammaworm-ntfs-ads-usb-gammasteel-s3-ex · ATT&CK page ↗

T1056Input Capture×1

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture).

BadBlocker ×1

Evidence: 2026-06-28/island-badblocker-an-11m-user-chrome-ad-blocker-is-one-serve · ATT&CK page ↗

T1056.001Input Capture: Keylogging×1

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.

ScarCruft ×1

Evidence: 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · ATT&CK page ↗

T1074Data Staged×1

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Silent Ransom Group physical USB intrusions ×1

Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · ATT&CK page ↗

T1074.001Data Staged: Local Data Staging×1

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location.

Evidence: 2026-05-23/rhysida-claims-stuttgart-municipal-data-theft-for-5-btc-city · ATT&CK page ↗

T1114Email Collection×1

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Emails may also contain details of ongoing incident response operations, which may allow adversaries to adjust their techniques in order to maintain persistence or evade defenses. Adversaries can collect or forward email from mail servers or clients.

Booking.com-fed hotel phishing (CH) ×1

Evidence: 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · ATT&CK page ↗

T1114.001Email Collection: Local Email Collection×1

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Stock-exchange mailbox espionage ×1

Evidence: 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · ATT&CK page ↗

T1114.002Email Collection: Remote Email Collection×1

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user's credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as MailSniper can be used to automate searches for specific keywords.

ARToken ×1

Evidence: 2026-07-02/cisco-talos-artoken-exposes-a-full-bec-as-a-service-toolkit · ATT&CK page ↗

T1114.003Email Collection: Email Forwarding Rule×2

Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations. Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim's emails even after compromised credentials are reset by administrators. Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.

Booking.com-fed hotel phishing (CH) ×1

Evidence: 2026-06-25/ncsc-ch-active-microsoft-365-voicemail-phishing-wave-in-swit · 2026-06-16/prc-unc6508-ran-year-plus-espionage-through-internet-facing · ATT&CK page ↗

T1115Clipboard Data×3
T1185Browser Session Hijacking×2

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

Booking.com-fed hotel phishing (CH) ×1 Gremlin Stealer ×1 Microsoft Exchange Server 2016/2019/SE — OWA stored XSS (CISA KEV 2026-05-15, actively exploited, no permanent patch — EEMS Mitigation M2 only) ×1

Evidence: 2026-05-16/unit-42-gremlin-stealer-evolved-with-net-resource-xor-obfusc · 2026-05-16/microsoft-exchange-cve-2026-42897-active-exploitation-withou · ATT&CK page ↗

T1213Data from Information Repositories×4

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).

Booking.com-fed hotel phishing (CH) ×2 ShinyHunters ×2 Mini Shai-Hulud ×1 Odido (Netherlands telecom) ShinyHunters breach ×1 SAP Commerce Cloud — unauthenticated arbitrary code execution via Spring Security misordering on cloud-config endpoint (CVSS 9.6, SAP Note 3733064) ×1 SAP S/4HANA Enterprise Search ABAP — authenticated SQL injection in SAP_BASIS 751–758 / 816 (CVSS 9.6) ×1

Evidence: 2026-07-10/odido-shinyhunters-vishing-dutch-police-attribution · 2026-06-11/shinyhunters-oracle-peoplesoft-campaign-gadget-chain-access · 2026-06-11/servicenow-unauthenticated-rest-endpoint-queried-customer-in · 2026-05-13/cve-2026-34263-cve-2026-34260-sap-commerce-cloud-pre-auth-rc · ATT&CK page ↗

T1213.003Data from Information Repositories: Code Repositories×4

Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

888 ×1 Icarus Salesforce OAuth extortion ×1 ShinyHunters ×1

Evidence: 2026-07-08/accenture-confirms-data-theft-888-azure-devops-claim · 2026-06-25/klue-icarus-salesforce-oauth-breach-beyondtrust-and-lastpass · 2026-05-29/carnival-corporation-confirms-5-99-m-record-shinyhunters-bre · 2026-05-13/bwh-hotels-best-western-worldhotels-sure-hotels-181-day-unau · ATT&CK page ↗

T1530Data from Cloud Storage×8
T1557Adversary-in-the-Middle×4

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as Network Sniffing, Transmitted Data Manipulation, or replay attacks (Exploitation for Credential Access). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.

GTIG Europe Data Leak Landscape 2025 ×1 ShinyHunters ×1 UNC6671 ×1 Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1

Evidence: 2026-06-14/sekoia-apt28-gru-unit-26165-tradecraft-shifts-to-llm-generat · 2026-05-27/tycoon-2fa-after-the-march-2026-takedown-two-tier-aitm-opera · 2026-05-16/gtig-unc6671-blackfile-vishing-aitm-rogue-mfa-programmatic-s · 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗

T1557.001Adversary-in-the-Middle: Name Resolution Poisoning and SMB Relay×1

By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Windows Shell LNK exploit predecessor — APT28 weaponised against Ukraine and EU; February 2026 patch left CVE-2026-32202 residual ×1 Windows Shell protection mechanism failure → NTLM coercion / spoofing (CVSS 4.3, APT28 ITW, KEV deadline 2026-05-12) ×1

Evidence: 2026-05-04/cve-2026-32202-windows-shell-ntlm-coercion-akamai-s-patchdif · ATT&CK page ↗

T1560Archive Collected Data×1

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Calypso telco espionage campaign ×1

Evidence: 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · ATT&CK page ↗

T1602Data from Configuration Repository×1

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Booking.com-fed hotel phishing (CH) ×1

Evidence: 2026-05-09/seppmail-secure-email-gateway-cvss-9-3-unauthenticated-rce-c · ATT&CK page ↗

Command and Control TA0011

T1001.002Data Obfuscation: Steganography×1

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

Calypso telco espionage campaign ×1

Evidence: 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · ATT&CK page ↗

T1071Application Layer Protocol×14
T1071.001Application Layer Protocol: Web Protocols×15
T1071.004Application Layer Protocol: DNS×2
T1090Proxy×6

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 DragonForce ×1 DragonForce Backdoor.Turn intrusion ×1 Embargo ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 Popa residential-proxy botnet ×1 Pwn2Own Berlin 2026 ×1 +4 more

Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/krebs-and-qurium-tie-the-popa-android-tv-residential-proxy-b · 2026-06-17/dragonforce-abuses-microsoft-teams-turn-relays-for-c2-and-ch · 2026-06-05/verdantbamboo-unc5221-warp-panda-an-18-month-china-nexus-int · 2026-05-25/underminr-a-multi-tenant-cdn-domain-fronting-variant-that-bl +1 more · ATT&CK page ↗

T1090.001Proxy: Internal Proxy×3

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

Calypso telco espionage campaign ×2 TrickMo C ×1

Evidence: 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · 2026-05-22/calypso-red-lamassu-bronze-medley-deploys-showboat-linux-and · 2026-05-13/trickmo-trickmo-c-android-banking-trojan-migrates-c2-to-the · ATT&CK page ↗

T1090.002Proxy: External Proxy×3

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Kimsuky ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 Popa residential-proxy botnet ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1

Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-06-21/krebs-and-qurium-tie-the-popa-android-tv-residential-proxy-b · 2026-05-17/kaspersky-great-documents-kimsuky-s-rust-based-hellodoor-and · ATT&CK page ↗

T1090.003Proxy: Multi-hop Proxy×3

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

Living Off the Pipeline ×1 LONGLEASH / SHORTLEASH ORB malware suite ×1 MuddyWater ×1 Popa residential-proxy botnet ×1 Stock-exchange mailbox espionage ×1 UAT-5918 ×1 UAT-7810 ×1

Evidence: 2026-07-08/talos-uat-7810-china-nexus-orb-network-longleash · 2026-07-04/netnut-popa-residential-proxy-botnet-disrupted-by-google-fbi · 2026-05-28/muddywater-seedworm-symantec-and-carbon-black-document-new-d · ATT&CK page ↗

T1090.004Proxy: Domain Fronting×1

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

Underminr ×1

Evidence: 2026-05-25/underminr-a-multi-tenant-cdn-domain-fronting-variant-that-bl · ATT&CK page ↗

T1102Web Service×1

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites, cloud services, and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google, Microsoft, or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Operation Dragon Weave ×1 VerdantBamboo ×1

Evidence: 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · ATT&CK page ↗

T1102.001Web Service: Dead Drop Resolver×5

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Calypso telco espionage campaign ×2 Operation Dragon Weave ×1 ScarCruft ×1 VerdantBamboo ×1

Evidence: 2026-06-30/mustang-panda-abuses-zoho-workdrive-as-a-dead-drop-c2-channe · 2026-06-18/scarcruft-apt37-delivers-narwhalrat-behind-fake-microsoft-ot · 2026-06-02/operation-dragon-weave-china-nexus-espionage-against-czech-g · 2026-05-22/red-lamassu-calypso-bronze-medley-showboat-jfmbackdoor-telco · 2026-05-22/calypso-red-lamassu-bronze-medley-deploys-showboat-linux-and · ATT&CK page ↗

T1102.002Web Service: Bidirectional Communication×1

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.

Webworm ×1

Evidence: 2026-05-21/webworm-china-aligned-shifts-to-eu-government-targets-echocr · ATT&CK page ↗

T1105Ingress Tool Transfer×6

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

Apex2 ×1 c2c / meow ×1 FrostyNeighbor March–May 2026 campaign ×1 Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1 Prinz Eugen ×1

Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-24/macos-clickfix-evolves-hdiutil-attach-nobrowse-mounts-the-ma · 2026-06-21/prinz-eugen-a-go-based-encryptor-that-targets-recent-files-f · 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp +1 more · ATT&CK page ↗

T1219Remote Access Tools×8

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a graphical interface, a command line interaction, a protocol tunnel via development or management software, or hardware-level access such as KVM (Keyboard, Video, Mouse) over IP solutions. Desktop support software (usually graphical interface) and remote management software (typically command line interface) allow a user to control a computer remotely as if they are a local user inheriting the user or software permissions. This software is commonly used for troubleshooting, software installation, and system management. Adversaries may similarly abuse response features included in EDR and other defensive tools that enable remote access.

Akira ×2 Bumblebee → AdaptixC2 → Akira intrusion ×1 Cavern ×1 Cavern Manticore ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 FrostyNeighbor March–May 2026 campaign ×1 +5 more

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-09/cavern-manticore-iran-mois-modular-net-c2-anti-analysis · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-24/whatsapp-borne-vbscript-silently-installs-a-manageengine-rmm · 2026-06-10/dragos-q1-2026-industrial-ransomware-analysis-1-020-industri +3 more · ATT&CK page ↗

T1572Protocol Tunneling×3

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

CL-STA-1132 ×2 AryStinger ×1 D-Link DIR-850L HTTP-service stack buffer overflow RCE — AryStinger botnet access vector ×1 Linksys/D-Link RTL819X command-injection RCE — initial-access vector for the AryStinger botnet ×1 Palo Alto PAN-OS Captive Portal unauthenticated root RCE (CVSS 9.3, ITW, KEV deadline 2026-05-09) ×1 QNAP Malware Remover code injection (fixed 6.6.8.20251023) — AryStinger NAS access vector ×1

Evidence: 2026-06-22/arystinger-a-reconnaissance-and-proxy-botnet-built-on-end-of · 2026-05-04/cve-2026-0300-palo-alto-pan-os-captive-portal-unauthenticate · 2026-05-04/cl-sta-1132-pan-os-cve-2026-0300-exploitation-cluster-disclo · ATT&CK page ↗

T1573Encrypted Channel×1

Adversaries may employ an encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

DAEMON Tools supply-chain compromise ×1

Evidence: 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · ATT&CK page ↗

T1573.002Encrypted Channel: Asymmetric Cryptography×1

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

DAEMON Tools supply-chain compromise ×1

Evidence: 2026-05-09/daemon-tools-lite-supply-chain-quic-rat-deployed-via-signed · ATT&CK page ↗

T1659Content Injection×1

Adversaries may gain access and continuously communicate with victims by injecting malicious content into systems through online network traffic. Rather than luring victims to malicious payloads hosted on a compromised website (i.e., Drive-by Target followed by Drive-by Compromise), adversaries may initially access victims through compromised data-transfer channels where they can manipulate traffic and/or inject their own content. These compromised online network channels may also be used to deliver additional payloads (i.e., Ingress Tool Transfer) and other data to already compromised systems.

Ghost CMS Content API unauthenticated SQLi (CVSS 9.4); ITW-exploited in ClickFix campaign; fixed 6.19.1 ×1 Living Off the Pipeline ×1

Evidence: 2026-05-25/ghost-cms-cve-2026-26980-clickfix-the-cms-compromise-to-endp · ATT&CK page ↗

Exfiltration TA0010

T1020Automated Exfiltration×1

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

Evidence: 2026-06-30/hijacked-npm-and-go-packages-weaponise-vs-code-s-folderopen · ATT&CK page ↗

T1041Exfiltration Over C2 Channel×6
T1048Exfiltration Over Alternative Protocol×3

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Akira ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1

Evidence: 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-30/sysdig-trt-first-observed-llm-agent-driven-post-exploitation · 2026-05-16/node-ipc-npm-package-backdoored-via-expired-domain-account-t · ATT&CK page ↗

T1048.003Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol×1

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Evidence: 2026-05-16/node-ipc-npm-package-backdoored-via-expired-domain-account-t · ATT&CK page ↗

T1052Exfiltration Over Physical Medium×1

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Silent Ransom Group physical USB intrusions ×1

Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · ATT&CK page ↗

T1052.001Exfiltration Over Physical Medium: Exfiltration over USB×2

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

Silent Ransom Group physical USB intrusions ×2

Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-06-01/luna-moth-unc3753-vishing-to-physical-usb-data-theft-extorti · ATT&CK page ↗

T1567Exfiltration Over Web Service×11

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Akira ×4 Groupe 3R ransomware breach ×3 ShinyHunters ×3 Bumblebee → AdaptixC2 → Akira intrusion ×1 DAEMON Tools Lite signed-build trojanisation (12.5.0.2421–12.5.0.2434) via Disc Soft Limited build infrastructure; CISA KEV 2026-05-27 ×1 Grafana Labs CoinbaseCartel breach ×1 Kairos ×1 Living Off the Pipeline ×1 +4 more

Evidence: 2026-07-09/groupe-3r-akira-forensic-confirmation-darknet-publication · 2026-07-05/kairos-data-theft-extortion-case-us-county-govt-1m-payout · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-06-28/naic-breached-via-oracle-peoplesoft-zero-day-shinyhunters-pu · 2026-06-24/xsolis-healthcare-ai-vendor-breach-exposes-1-4m-patients-acr +6 more · ATT&CK page ↗

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage×3

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Medtronic breach ×1 ShinyHunters ×1 Silent Ransom Group physical USB intrusions ×1 Stock-exchange mailbox espionage ×1

Evidence: 2026-06-06/luna-moth-silent-ransom-group-unc3753-vishing-to-physical-ac · 2026-06-04/symantec-five-month-low-and-slow-mailbox-espionage-campaign · 2026-05-19/7-eleven-confirms-shinyhunters-breach-of-600-000-salesforce · ATT&CK page ↗

T1567.004Exfiltration Over Web Service: Exfiltration Over Webhook×1

Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel. Webhooks are simple mechanisms for allowing a server to push data over HTTP/S to a client without the need for the client to continuously poll the server. Many public and commercial services, such as Discord, Slack, and `webhook.site`, support the creation of webhook endpoints that can be used by other services, such as Github, Jira, or Trello. When changes happen in the linked services (such as pushing a repository update or modifying a ticket), these services will automatically post the data to the webhook endpoint for use by the consuming application.

GemStuffer ×1 Qilin ×1

Evidence: 2026-05-14/gemstuffer-rubygems-weaponised-as-a-one-way-exfiltration-cha · ATT&CK page ↗

Impact TA0040

T1485Data Destruction×4

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives. Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from Disk Content Wipe and Disk Structure Wipe because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.

Ababil of Minab ×1 Cloud-bucket hijacking via namespace reuse ×1 JADEPUFFER ×1 Langflow /api/v1/validate/code missing-auth RCE — initial access for the JADEPUFFER agentic ransomware operation ×1 Mini Shai-Hulud ×1 TeamPCP ×1

Evidence: 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce · 2026-06-24/unit-42-cloud-bucket-hijacking-via-global-namespace-reuse-si · 2026-05-28/iran-mois-attributed-to-lacmta-destructive-breach-via-ababil · 2026-05-26/teampcp-mini-shai-hulud-framework-open-sourced-microsoft-pyp · ATT&CK page ↗

T1486Data Encrypted for Impact×14

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.

Akira ×7 Groupe 3R ransomware breach ×3 Avalon ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1 CitrixBleed 2 (NetScaler ADC/Gateway pre-auth memory over-read) — weaponised in the STAC3725 IAB-to-DragonForce kill chain (Huntress) ×1 DragonForce ×1 Dragos Q1 2026 Industrial Ransomware Analysis ×1 JADEPUFFER ×1 +7 more

Evidence: 2026-07-10/citrixbleed-2-dragonforce-iab-kill-chain-stac3725 · 2026-07-09/groupe-3r-akira-forensic-confirmation-darknet-publication · 2026-07-04/jadepuffer-agentic-llm-ransomware-langflow-rce · 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware +9 more · ATT&CK page ↗

T1490Inhibit System Recovery×3

Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. This may deny access to available backups and recovery options.

Akira ×1 Avalon ×1 Bumblebee → AdaptixC2 → Akira intrusion ×1

Evidence: 2026-07-04/avalon-framework-msbuild-etw-loader-crownx-ransomware · 2026-06-30/bumblebee-adaptixc2-akira-a-full-seo-poisoning-to-ransomware · 2026-05-12/west-pharmaceutical-services-files-sec-form-8-k-item-1-05-da · ATT&CK page ↗

T1496Resource Hijacking×3
T1498Network Denial of Service×2

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Apex2 ×1 Atomic Arch ×1 Booking.com-fed hotel phishing (CH) ×1 c2c / meow ×1 GreatXML ×1 Nightmare Eclipse ×1 RoguePlanet ×1

Evidence: 2026-07-09/nozomi-apex2-c2c-meow-golang-iot-linux-ddos-botnets · 2026-06-14/looking-ahead-2026-w24 · ATT&CK page ↗

T1499Endpoint Denial of Service×2

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes and to support other malicious activities, including distraction, hacktivism, and extortion.

Atomic Arch ×1 Booking.com-fed hotel phishing (CH) ×1 GreatXML ×1 HTTP/2 Bomb — HPACK dynamic-table amplification + Slowloris stream-hold memory-exhaustion DoS vs nginx/Apache/IIS/Envoy/Pingora; nginx 1.29.8 & Apache mod_http2 2.0.41 patched, IIS/Envoy/Pingora unpatched at disclosure ×1 Nightmare Eclipse ×1 RoguePlanet ×1

Evidence: 2026-06-14/looking-ahead-2026-w24 · 2026-06-04/http-2-bomb-cve-2026-49975-a-single-connection-memory-exhaus · ATT&CK page ↗

T1499.003Endpoint Denial of Service: Application Exhaustion Flood×1

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications. For example, specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself.

SolarWinds Serv-U uncontrolled resource consumption — unauthenticated DoS via Content-Encoding: deflate (CISA KEV 2026-06-05) ×1

Evidence: 2026-06-06/cve-2026-28318-solarwinds-serv-u-unauthenticated-dos-added-t · ATT&CK page ↗

T1499.004Endpoint Denial of Service: Application or System Exploitation×3
T1565Data Manipulation×2
T1565.001Data Manipulation: Stored Data Manipulation×2

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Microsoft Semantic Kernel .NET SDK — unintended [KernelFunction] on SessionsPythonPlugin Download/UploadFileAsync → arbitrary file write → sandbox escape (CVSS 9.9) ×2 Microsoft Semantic Kernel Python SDK — prompt-injection-to-RCE via InMemoryVectorStore filter (CVSS 9.9, PoC public) ×2

Evidence: 2026-05-10/microsoft-semantic-kernel-cve-2026-26030-cve-2026-25592-prom · 2026-05-04/cve-2026-26030-cve-2026-25592-microsoft-semantic-kernel-pyth · ATT&CK page ↗