What starting position does this attack require?

The first step is Authenticate as compromised extension (T1078) — a initial access primitive. Assumed environment: target SIP server reachable on UDP/5060 (or TLS/5061) from the internet.

What is the final impact of this kill-chain?

The final step lands on Place high-value calls (VOIP-TOLL-FRAUD), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

SIP extension brute → toll fraud / premium-rate exfil

Internet-exposed Asterisk / FreePBX with extensions whose password equals the extension number. Bruteforce a few, place expensive international / premium-rate calls.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Initial Access

Authenticate as compromised extension

T1078 · Valid Accounts

Discovery

Enumerate valid extensions

VOIP-SIP-SCAN · SIP Scanning & Enumeration

Discovery

svmap / sipvicious — find SIP server

VOIP-SIP-SCAN · SIP Scanning & Enumeration

Credential Access

VOIP-SIP-BRUTE · SIP REGISTER Bruteforce

Impact

Place high-value calls

VOIP-TOLL-FRAUD · Toll Fraud / Call Forwarding Abuse

§ Context

Assumed environment: target SIP server reachable on UDP/5060 (or TLS/5061) from the internet. Operator hasn't enforced fail2ban / strong passwords / outbound destination ACLs.

§ Steps

01
Authenticate as compromised extensionInitial Access
T1078— Valid Accounts
02
Enumerate valid extensionsDiscovery
VOIP-SIP-SCAN— SIP Scanning & Enumeration
03
svmap / sipvicious — find SIP serverDiscovery
VOIP-SIP-SCAN— SIP Scanning & Enumeration
04
REGISTER bruteforceCredential Access
VOIP-SIP-BRUTE— SIP REGISTER Bruteforce
05
Place high-value callsImpact
VOIP-TOLL-FRAUD— Toll Fraud / Call Forwarding Abuse

§ References

T1078Valid Accounts

§ Frequently asked

What is the "SIP extension brute → toll fraud / premium-rate exfil" attack path?: Internet-exposed Asterisk / FreePBX with extensions whose password equals the extension number. Bruteforce a few, place expensive international / premium-rate calls. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Authenticate as compromised extension (T1078) — a initial access primitive. Assumed environment: target SIP server reachable on UDP/5060 (or TLS/5061) from the internet.
What is the final impact of this kill-chain?: The final step lands on Place high-value calls (VOIP-TOLL-FRAUD), which falls under Impact. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.