T1078Initial Access

Valid Accounts

Obtain and abuse credentials of existing accounts.

§ Where this technique fits

T1078 is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 100 approved dossiers in the registry, typically at step 2 on average.

Authoritative reference: attack.mitre.org/techniques/T1078/.

§ Dossiers chaining this technique

5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.
step 1 / 5
Industroyer2 IEC-104 substation hijack
Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.
step 1 / 6
LogoFAIL → UEFI bootkit → persistent ring-0
Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.
step 1 / 6
io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
step 1 / 6
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
step 1 / 7
Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
step 1 / 6
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
step 1 / 6
ERC-4626 first-depositor inflation → drain new deposits
Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.
step 1 / 5
AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
step 1 / 6
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.
step 1 / 5
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
step 1 / 5
Process hollowing → run beacon in svchost shell
Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.
step 1 / 6
MEV bot honeypot → drain searcher
Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.
step 1 / 5
certutil + bitsadmin → AV-friendly stager chain
Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.
step 1 / 6
SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
step 1 / 5
DNS tunnel exfiltration in restricted egress
Outbound web is filtered, but DNS still resolves to the corporate forwarder. Use iodine / dnscat2 to tunnel a shell + exfil over DNS queries to an attacker-controlled authoritative server.
step 1 / 5
Spectre-class side-channel → cross-tenant memory leak
Pre-mitigation cloud VM lets a co-tenant trigger speculative loads from kernel / sibling-VM memory. Cache-side-channel measurements recover sensitive data, including TLS keys + cloud creds.
step 1 / 6
POS network pivot → RAM-scraper → card data exfil
The Target 2013 / Home Depot 2014 chain: vendor foothold → flat payment-switch VLAN → drop a memory-scraping malware on POS terminals → exfil track data through a payment-switch host.
step 1 / 7
MITM unencrypted RTP → call eavesdropping
Most internal SIP deployments still use RTP without SRTP. From the same VLAN, ARP-spoof the IP phone + PBX, capture RTP, decode in Wireshark to .wav.
step 1 / 5
Engineering workstation → push payload to PLC
Compromise the OT engineer's laptop (corporate-network adjacent, jumphost-reachable). Use legit engineering tools (TIA Portal / Studio 5000) to download attacker ladder logic to the PLC.
step 1 / 6
Flash-loan governance attack → DAO admin
Voting power = token balance at snapshot. Borrow enormous quantity via flash loan inside the snapshot tx, vote yourself in as admin, repay loan.
step 1 / 6
Exposed UART → root shell → firmware extraction
Open the IoT device, locate TX/RX/GND pads, attach a USB-UART, get an unauthenticated root prompt, dump firmware for offline analysis + 0-day hunting.
step 1 / 6
Predictable RNG → forge password-reset tokens
App generates reset tokens via Math.random / Mersenne Twister seeded with time(). Capture a few legit tokens, recover the internal state, predict the next token for any user.
step 1 / 6
LaunchDaemon persistence as root
Once at root (via sudo or a local-exploit), drop a .plist into /Library/LaunchDaemons that re-implants on every boot — survives user logout and full power-cycle.
step 1 / 5
TCC bypass → access Photos / Camera without consent
Inject into a process that already has Full Disk Access (e.g. backup utility, Terminal). Inherited TCC entitlement lets the attacker code read TCC-gated data — Photos, iMessage DB, Documents.
step 1 / 5
Output injection → admin XSS in support panel
Customer chats with support LLM. Prompt injection makes the model emit a malicious markdown link / image; when an admin views the conversation in the support panel, JS / pixel-tracker fires.
step 1 / 5
User foothold → keychain dump → cloud creds
Standard user shell on macOS. Brute the login.keychain master via ChainBreaker / a keylogged password; dump all entries — Safari saved creds, AWS keys, Slack tokens, SSO cookies.
step 1 / 5
UAC bypass → elevated admin on a workstation
Standard medium-integrity admin user runs fodhelper / silentcleanup / computerdefaults auto-elevate bypass — gets a high-integrity session without a UAC prompt.
step 1 / 5
docker group membership → host root via container escape
User is in the docker group. `docker run -v /:/host --privileged alpine chroot /host` gives them root on the host without sudo.
step 1 / 5
Service account → SYSTEM via named-pipe impersonation
Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.
step 1 / 5
Mailbox forwarding rule → silent data exfil
Compromised user account. Create an Inbox / transport rule that auto-forwards every incoming message to an external attacker mailbox — invisible until an admin reviews mailbox rules.
step 1 / 4
sudo NOPASSWD on a shell-spawner → root
User has sudo NOPASSWD on a binary that can shell out (vi, less, awk, perl, python). Use the binary's escape sequence to drop into a root shell.
step 1 / 5
AlwaysInstallElevated → SYSTEM via MSI
Both HKCU and HKLM AlwaysInstallElevated policies set to 1 — any user-installed MSI runs as SYSTEM. Drop a malicious MSI and install it.
step 1 / 5
polkit pwnkit (CVE-2021-4034) → instant root
Pre-2022 pkexec has a heap-overflow exploitable with no special permissions. Compile / drop the exploit, run as low-priv user, gain root.
step 1 / 5
SUID binary → root via GTFOBins
Find an unusual SUID binary (find / nmap / vim / awk / less), check GTFOBins for the privilege-escalation primitive, spawn a root shell.
step 1 / 5
mitm6 IPv6 SLAAC → NTLM relay → DA
Even when IPv4 is hardened, Windows clients prefer IPv6 with default DHCPv6. mitm6 makes the attacker the IPv6 DNS server, advertises wpad, and relays the captured NTLM to LDAPS for RBCD.
step 1 / 7
802.1X NAC bypass via printer MAC spoof
Plug into the LAN, sniff a printer / IP-phone MAC, clone it on your laptop, get full LAN access via MAC-Auth-Bypass — bypass NAC entirely.
step 1 / 6
Rogue DHCP → DNS poisoning → MITM
Bring up a faster DHCP server on the segment; new clients get attacker as gateway + DNS — strip HTTPS, capture creds, inject payloads.
step 1 / 5
GCP service account impersonation chain → project owner
Compromised low-priv SA has iam.serviceAccounts.getAccessToken on an intermediate SA; hop through 2-3 impersonations until you reach a project Owner.
step 1 / 6
Privileged pod escape → cluster admin
GenericWrite on a Deployment in the kube-system namespace lets you launch a privileged pod; the pod mounts the host filesystem and steals the kubeconfig of cluster-admin.
step 1 / 7
VLAN hopping → cross into production
Discover that the access port negotiates trunking (DTP). Send double-tagged frames or set up a fake trunk to send packets into restricted VLANs.
step 1 / 5
SCCM Network Access Account disclosure → privileged creds
Any authenticated user on a SCCM-managed endpoint can recover the Network Access Account credentials from WMI / client cache — and the NAA is usually over-privileged.
step 1 / 5
WSUS over HTTP → push code to managed clients
Clients using an HTTP WSUS server can be MITM'd to receive an attacker-signed (but Microsoft-trusted) auxiliary update that executes arbitrary commands as SYSTEM.
step 1 / 4
BadSuccessor (DMSA, 2025) → instant Domain Admin
Server 2025's Delegated Managed Service Accounts inherit the powers of any account listed in msDS-ManagedAccountPrecededByLink — letting an OU-admin escalate to DA without any patch chain.
step 1 / 5
PetitPotam + ADCS ESC8 → Domain Controller takeover
Coerce a DC's machine account to authenticate to the attacker, relay that NTLM to the ADCS HTTP web-enrollment endpoint, and obtain a DC certificate for full domain compromise.
step 1 / 6
DnsAdmins membership → SYSTEM on the DC
DnsAdmins members can load a DLL via the DNS service ServerLevelPluginDll registry value — the service runs as SYSTEM on the DC.
step 1 / 5
RBCD abuse → SYSTEM on a domain host
A user with GenericAll/GenericWrite on a computer object writes msDS-AllowedToActOnBehalfOfOtherIdentity, then uses S4U2self/S4U2proxy to impersonate any user (including Administrator) on that host.
step 1 / 5
ADCS ESC11 → certificate via RPC (no web enrollment)
When the CA's ICertPassage RPC interface allows NTLM without signing, relay any coerced auth directly to RPC and obtain a cert — bypasses HTTP-only mitigations.
step 1 / 6
Group Policy Preferences cpassword → user takeover
Pre-MS14-025 GPPs left cpassword-encrypted credentials in SYSVOL with a published AES key. Any authenticated user can decrypt them.
step 1 / 5
Shadow Credentials → PKINIT → NT hash
Where GenericWrite is held over a target, write a fake KeyCredentialLink (whfb-like) and authenticate via PKINIT to recover the target's NT hash.
step 1 / 5
noPac / sAMAccountName spoofing → Domain Admin
Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.
step 1 / 7
Cross-trust attack: child → parent forest via SID History
Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust.
step 1 / 6
GenericWrite on Domain Admins → AddMember → DA
A misconfigured 'member' attribute write on a privileged group lets the attacker silently add themselves as a Domain Admin.
step 1 / 5
SCCM site takeover via NTLM relay (Takeover-1)
Coerce the SCCM site server to authenticate, relay to MSSQL on the site database, and grant yourself Full Administrator inside SCCM.
step 1 / 7
ADCS ESC1 → Domain Admin
A low-priv domain user discovers a certificate template that lets enrollees supply an arbitrary subjectAltName, enrolls a cert as Administrator, and authenticates via PKINIT.
step 1 / 5
MachineAccountQuota abuse → RBCD takeover of a server
Default ms-DS-MachineAccountQuota = 10 lets any authenticated user create a computer account, which can then be used as the source principal in an RBCD attack.
step 1 / 5
Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder
Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker.
step 1 / 7
WriteDACL on a privileged user → ForceChangePassword → takeover
Discover a misconfigured ACL that lets a low-priv user modify the ACL of a Tier-0 account, grant ForceChangePassword to themselves, reset the victim's password, and log in.
step 1 / 6
MSSQL linked-server crawl → cross-host RCE
Linked-server trust chains in MSSQL let a low-priv login execute as a higher-priv login on a remote SQL host — and pivot recursively across the estate.
step 1 / 6
GPO write rights → Immediate scheduled task → SYSTEM on OU
GenericWrite on a linked GPO (or write rights to its SYSVOL folder) lets you drop a ScheduledTasks.xml that fires as SYSTEM on every machine in the OU at the next gpupdate.
step 1 / 5
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
step 2 / 7
Indirect prompt injection via RAG document
Attacker uploads a poisoned document to a customer wiki / SharePoint that the LLM ingests at query time. Injection fires when a privileged user later asks a question that retrieves the doc.
step 2 / 5
Agent goal hijack via web search
An autonomous agent searches the web and reads tool output. Attacker SEO-poisons / posts a comment that, when fetched, contains 'NEW INSTRUCTION:' the agent obediently follows.
step 2 / 5
GitHub Action tag mutation → silent supply-chain hijack
Target pins an action by tag (uses: org/action@v3). Compromise the action repo and move the v3 tag to a malicious commit — every workflow using it pulls in the backdoor.
step 2 / 5
pull_request_target injection → secrets → cloud takeover
A GitHub Actions workflow runs on pull_request_target and checks out the PR's head SHA. The attacker's PR injects code that runs with the base repo's secrets, including a cloud deploy role.
step 2 / 7
Entra app consent phishing → Global Admin equivalent
Phish a privileged user to consent to an OAuth app requesting Directory.ReadWrite.All + RoleManagement.ReadWrite.Directory — the app then grants itself Global Administrator.
step 2 / 6
Unconstrained delegation → Capture DC TGT → DCSync
Compromise a host with TRUSTED_FOR_DELEGATION, coerce a DC to authenticate to it, harvest the DC's TGT from its LSASS, then DCSync.
step 2 / 7
LAPS read → local admin on every endpoint
A delegated 'helpdesk' group gains read access to ms-Mcs-AdmPwd. Compromising any member of that group cascades to local admin on every LAPS-managed machine.
step 2 / 5
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
step 3 / 6
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
step 3 / 7
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
step 3 / 6
ERC-4337 paymaster sponsor drain
A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.
step 3 / 5
Reentrancy → drain vault contract
Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.
step 3 / 6
HMI default credentials → operations disruption
Wonderware / iFix HMI exposed to the corporate network with vendor-default credentials. Operators see attacker-controlled values + commands sent to PLCs through legit channels.
step 3 / 5
iOS URL scheme hijack → OAuth code theft
Multiple apps register the same custom URL scheme — a rogue app installed alongside the target receives the OAuth callback containing the authorisation code, then exchanges it for tokens.
step 3 / 6
Secret echoed to public build log → cloud takeover
A workflow accidentally runs `env` or `set -x` during debugging — the AWS access key is now in public CI logs and indexed by Google Cache / GitHub search.
step 3 / 6
npm typosquat → developer workstation → corporate VPN
Publish a typosquat npm package; the developer's `npm install` runs the postinstall script, exfils SSH keys + VPN profile, then connects to the corporate network.
step 3 / 6
NoSQL injection → auth bypass → admin
Login endpoint passes user-supplied JSON into a MongoDB query. Send {"$ne": null} to bypass the password check.
step 3 / 5
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
step 4 / 5
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
step 4 / 5
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
step 4 / 6
Hardware wallet supply-chain tamper → pre-seeded seed
Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.
step 4 / 5
Compromised extension auto-update → fleet compromise
Take over a popular extension's developer account (credential stuffing on the store, abandoned email domain). Push a malicious version — every existing install runs attacker code on next launch.
step 4 / 5
Cross-chain bridge validator-set bypass → mint wrapped tokens
Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.
step 4 / 6
SIP extension brute → toll fraud / premium-rate exfil
Internet-exposed Asterisk / FreePBX with extensions whose password equals the extension number. Bruteforce a few, place expensive international / premium-rate calls.
step 4 / 5
Compromised CFO mailbox → invoice fraud → wire fraud
AITM phishing nets the CFO's M365 session. Attacker sets a mail rule to hide replies, edits a pending invoice's wire details, sends the modified PDF to AP from the legit mailbox.
step 4 / 6
Exported ContentProvider → private data leak
App exports a ContentProvider for legitimate inter-app integration but forgets to enforce grantUri / signature permissions — a rogue installed app reads private auth tokens.
step 4 / 6
MFA fatigue / prompt-bombing → M365 admin compromise
Attacker has the password (from breach / spray) but not MFA. Spam push approvals at 2 AM until the user taps yes out of habit — used in the Uber and 0ktapus breaches.
step 4 / 6
PMKID attack → offline crack with no client interaction
WPA2 PMKID can be extracted from a single association attempt with the AP — no client needed. hcxdumptool + hashcat -m 22000 yields the PSK if it's weak.
step 4 / 5
Evil twin + captive portal → credential harvest
Spoof the corporate SSID with a stronger signal and a captive portal that looks like the company AD login. Auto-connecting clients submit creds to the attacker page.
step 4 / 5
Browser-in-the-Browser → credential theft on a trusted page
Render a fake SSO popup inside the attacker page that looks like a real OS browser window. Victim types their credentials into the attacker's DOM.
step 4 / 6
Public bucket → CI/CD secret leak → cloud takeover
A public S3 bucket hosts a build artefact containing CI tokens / .env files. Use them to push to the prod CI/CD pipeline and gain a deploy role.
step 4 / 7
Web cache poisoning → XSS → admin session hijack
An unkeyed header reflects into the response. Poison the cache with a payload, wait for an admin to fetch the cached page, exfiltrate their session.
step 4 / 6
AS-REP roast → cracked user → Kerberoast → service-account admin
Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server.
step 4 / 8
Mifare Classic crack → cloned hotel key
Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.
step 5 / 5
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
step 5 / 6
Renderer compromise → GPU process → vulnerable kernel driver
After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.
step 5 / 5
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
step 5 / 6
Slack token in CI log → DM history → vendor mailbox compromise
A CI run echoed a Slack xoxb-/xoxp- token. Use it to read DMs, harvest password-reset links and vendor invitations, pivot into the corporate mailbox.
step 5 / 6
Citrix Bleed → steal authenticated session → MFA bypass
Send a long Host header to a vulnerable NetScaler — memory disclosure leaks an authenticated session token already past MFA. Replay the token to log into the corporate VPN.
step 5 / 6

§ What commonly comes next

01
BloodHound / SharpHound Enumeration
AD-BLOODHOUND · Discovery
seen 8×
02
Exfiltration Over C2 Channel
T1041 · Exfiltration
seen 8×
03
Account Discovery
T1087 · Discovery
seen 6×
04
Exchange Web Services (EWS) Exfil
M365-EWS-EXFIL · Collection
seen 5×
05
Internal Nmap Sweep
N-NMAP-INTERNAL · Discovery
seen 5×
06
Unsecured Credentials
T1552 · Credential Access
seen 3×
07
ARP Spoofing / Cache Poisoning
N-ARP-SPOOF · Credential Access
seen 2×
08
Account Manipulation
T1098 · Persistence
seen 2×

§ Where this technique fits

§ Dossiers chaining this technique

5G core GTP-U user-plane injection → subscriber MITM

Industroyer2 IEC-104 substation hijack

LogoFAIL → UEFI bootkit → persistent ring-0

io_uring UAF → modprobe_path overwrite → root

nf_tables UAF → kernel R/W → root

Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)

Process doppelgänging → spawn signed image with attacker bytes

ERC-4626 first-depositor inflation → drain new deposits

AMSI patch → in-memory .NET / PowerShell stager

MITM HL7 v2 → tamper lab orders / results

BYOVD → kernel-level disable of EDR callbacks

Process hollowing → run beacon in svchost shell

MEV bot honeypot → drain searcher

certutil + bitsadmin → AV-friendly stager chain

SAML signature wrapping (XSW) → impersonate admin

DNS tunnel exfiltration in restricted egress

Spectre-class side-channel → cross-tenant memory leak

POS network pivot → RAM-scraper → card data exfil

MITM unencrypted RTP → call eavesdropping

Engineering workstation → push payload to PLC

Flash-loan governance attack → DAO admin

Exposed UART → root shell → firmware extraction

Predictable RNG → forge password-reset tokens

LaunchDaemon persistence as root

TCC bypass → access Photos / Camera without consent

Output injection → admin XSS in support panel

User foothold → keychain dump → cloud creds

UAC bypass → elevated admin on a workstation

docker group membership → host root via container escape

Service account → SYSTEM via named-pipe impersonation

Mailbox forwarding rule → silent data exfil

sudo NOPASSWD on a shell-spawner → root

AlwaysInstallElevated → SYSTEM via MSI

polkit pwnkit (CVE-2021-4034) → instant root

SUID binary → root via GTFOBins

mitm6 IPv6 SLAAC → NTLM relay → DA

802.1X NAC bypass via printer MAC spoof

Rogue DHCP → DNS poisoning → MITM

GCP service account impersonation chain → project owner

Privileged pod escape → cluster admin

VLAN hopping → cross into production

SCCM Network Access Account disclosure → privileged creds

WSUS over HTTP → push code to managed clients

BadSuccessor (DMSA, 2025) → instant Domain Admin

PetitPotam + ADCS ESC8 → Domain Controller takeover

DnsAdmins membership → SYSTEM on the DC

RBCD abuse → SYSTEM on a domain host

ADCS ESC11 → certificate via RPC (no web enrollment)

Group Policy Preferences cpassword → user takeover

Shadow Credentials → PKINIT → NT hash

noPac / sAMAccountName spoofing → Domain Admin

Cross-trust attack: child → parent forest via SID History

GenericWrite on Domain Admins → AddMember → DA

SCCM site takeover via NTLM relay (Takeover-1)

ADCS ESC1 → Domain Admin

MachineAccountQuota abuse → RBCD takeover of a server

Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder

WriteDACL on a privileged user → ForceChangePassword → takeover

MSSQL linked-server crawl → cross-host RCE

GPO write rights → Immediate scheduled task → SYSTEM on OU

Build-system implant → signed supply-chain backdoor (SolarWinds-class)

Indirect prompt injection via RAG document

Agent goal hijack via web search

GitHub Action tag mutation → silent supply-chain hijack

pull_request_target injection → secrets → cloud takeover

Entra app consent phishing → Global Admin equivalent

Unconstrained delegation → Capture DC TGT → DCSync

LAPS read → local admin on every endpoint

Apple Pay Express Transit relay → high-value contactless fraud

Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)

Leaked legacy VPN credential → ransomware (Colonial-class)

ERC-4337 paymaster sponsor drain

Reentrancy → drain vault contract

HMI default credentials → operations disruption

iOS URL scheme hijack → OAuth code theft

Secret echoed to public build log → cloud takeover

npm typosquat → developer workstation → corporate VPN

NoSQL injection → auth bypass → admin