Pretexting
Plausible cover story (auditor, contractor, courier, fire marshal) that gets the attacker through human checks — usually combined with physical or phone access.
§ Where this technique fits
SE-PRETEXT is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 4 approved dossiers in the registry, typically at step 1.8 on average.
§ Dossiers chaining this technique
- step 1 / 6
RFID badge clone → after-hours access
Brush-pass a target employee with a long-range RFID reader, capture their HID/iCLASS card data, clone to a blank — return after hours to badge into restricted floors.
- step 2 / 6
Apple Pay Express Transit relay → high-value contactless fraud
Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.
- step 2 / 6
Vishing → helpdesk MFA reset → account takeover
Pose as a panicked employee locked out before a meeting. Helpdesk resets MFA based on partial PII (employee ID + date of birth from LinkedIn). Attacker registers their own factor.
- step 2 / 6
USB drop in parking lot → HID payload → C2
Drop branded-looking USB sticks near the target site. An employee plugs one in; a Rubber-Ducky-class HID device types a PowerShell payload that connects out to attacker C2.
§ What commonly comes next
- 01RFID / Badge Cloningseen 1×SE-RFID-CLONE · Initial Access
- 02User Executionseen 1×T1204 · Execution
- 03Valid Accountsseen 1×T1078 · Initial Access
- 04Vishing (Voice Phishing)seen 1×SE-VISHING · Initial Access