Techniques

Techniques utilized by threat actors and tools, as observed in various incidents

Name	Tags	Incidents	ATT&CK Tactic	Tech	Status
Abuse access to existing KMS key	Cloud		Credential Access (TA0006)		Stub
Abuse naming patterns to guess resource IDs or fingerprint resources	Cloud		Discovery (TA0007)		Stub
Abuse of cross-job access in CI/CD system	CI/CD				Stub
Abuse trust and privileges across accounts	Cloud	LAPSUS$ campaigns	Lateral Movement (TA0008)		Stub
Abusing exposed Docker socket	K8s	Kiss-A-Dog campaignOracleIV campaign	Initial Access (TA0001)	Docker	Stub
Add attacker-controlled IdP via ADFS access	AAD	APT29 targeting Microsoft 365	Lateral Movement (TA0008)		Stub
App Script impersonation	Cloud		Persistence (TA0003)		Stub
Appstream abuse	Cloud		Initial Access (TA0001)	AWS Appstream	Stub
Attach administrative role to account		DangerDev SES abuse incidentFrom refresh token theft to global admin			Stub
Auth token signing via ADFS access	AAD	APT29 targeting Microsoft 365	Lateral Movement (TA0008)		Stub
Auth token signing via Golden SAML	AAD	APT29 targeting Microsoft 365Solarigate: Solarwinds supply chain attackPeach Sandstorm targeting Azure	Lateral Movement (TA0008)Credential Access (TA0006)		Finalized
Azure AD abuse	CloudAAD	Stealing the LIGHTSHOW			Stub
Azure Arc abuse	Cloud	Peach Sandstorm targeting Azure	Persistence (TA0003)Execution (TA0002)	Azure Arc	Stub
Azure Batch abuse	Cloud	Cryptojacking via Azure Batch		Azure Batch	Stub
Azure cross-tenant synchronization backdoor	CloudAAD		Persistence (TA0003)		Stub
Azure lateral movement via cross-tenant synchronization	CloudAAD		Lateral Movement (TA0008)		Stub
Azure Run Commands abuse	Cloud	Scattered Spider Azure Run abuse	Execution (TA0002)		Stub
Backdoor AMI	Cloud		Initial Access (TA0001)		Stub
Backdoor Docker image	K8s	AmberSquid campaigneBPF Rootkit Targeting AWS and Linux Environments	Initial Access (TA0001)	Docker	Stub
Backdoor IaC (StackSet, Terraform, etc.)	Cloud		Initial Access (TA0001)		Stub
Backdoor Lambda Layer	Cloud		Initial Access (TA0001)	AWS Lambda	Stub
Bootkit	LinuxWindows		Persistence (TA0003)		Stub
Bring Your Own Vulnerable Driver	Windows	Agenda Ransomware Targets ESXi and vCenter ServersCrazyHunter Ransomware Group Targets Critical Sectors in Taiwan	Execution (TA0002)Privilege Escalation (TA0004)		Stub
Bucket / storage ransomware	CloudRansomware	BlackCat Azure Storage Account RansomOpCodefinger Ransomware Campaign Targeting S3 Buckets	Impact (TA0040)		Stub
Bucket name squatting attack	Cloud		Initial Access (TA0001)		Stub
cAdvisor abuse	App Misconfig.		Reconnaissance (TA0043)Credential Access (TA0006)	cAdvisor	Stub
CI/CD system enumeration	CI/CD		Discovery (TA0007)		Stub
Cleartext cloud keys abuse		Supply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage Credentials			Not started
Cloud account password reset		Phishing campaign leading to Azure account takeover			Not started
Cloud API enumeration	Cloud	Leaked long-lived AWS credsLAPSUS$ campaignsDangerDev SES abuse incidentMuddled Libra campaigns (2024)LLMjacking via Laravel exploitationS3 RansomOp following long-term key exposureScylla LLMJacking campaignScattered Spider targeting Azure environment	Reconnaissance (TA0043)		Stub
Cloud compute cryptojacking	CloudK8s	Kiss-A-Dog campaignScarletEel campaign (Feb ‘23)RBAC BusterMisconfigured firewall to cryptojacking botnetScarletEel campaign (July ‘23)EleKtra-LeakLabrat GitLab campaignAmberSquid campaignDangerDev SES abuse incidentECS Fargate cryptojackingDero cryptojacking targeting K8sDERO cryptojacking campaign (2024)SeleniumGreed: Threat actors exploit exposed Selenium Grid services for CryptominingConfluence exploited for cryptojackingREF6138 campaignUltralytics compromiseKong image compromiseUSAID cryptojacking incidentSysrv Apache Druid cryptojackingLucifer Apache Druid cryptojacking	Impact (TA0040)		Featured
Cloud key compromise		Apple cloud key exposureBMW exposed cloud storageZenlayer exposed databaseFrom social engineering to cryptocurrency theft Football Australia exposed cloud keyAbusing management tooling for cloud accessPersonal local drive to AWS ransomwareThird party to cloud compromiseScylla LLMJacking campaignAttack abusing Amazon SESFrom social engineering to Lambda modificationJavaGhost SES abuseCompromised cloud keys exfiltrated to bucket	Credential Access (TA0006)		Stub
Cloud storage cryptojacking	Cloud		Impact (TA0040)		Finalized
Cloud to on-prem lateral movement		Third party to cloud compromiseSmishing into Entra onto VMWare ransomwareStorm-0501 attacking hybrid environments with ransomwareUNC2165 Targets Hybrid Environments with Ransomware			Not started
Cloud-init persistence	Cloud		Persistence (TA0003)		Stub
Cluster anonymous access	K8s	RBAC Buster	Initial Access (TA0001)		Stub
Command execution via Lambda		From social engineering to Lambda modification			Not started
Container enumeration	K8s	Commando Cat campaign	Discovery (TA0007)		Stub
Create an IAM Roles Anywhere trust anchor	Cloud		Initial Access (TA0001)		Stub
Create new application user		Cloudflare incident following Okta breachEarth Lamia Custom Toolkit Targets Multiple Sectors via Web Vulnerabilities			Stub
Create new cloud user	Cloud	RBAC BusterSIM-Swap to Data Leak on Dark WebDangerDev SES abuse incidentS3 data exfiltrationLeaked long-lived AWS credsScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)S3 RansomOp following long-term key exposureScattered Spider SaaS targeting (2023)Phishing campaign leading to Azure account takeoverFrom stolen cloud key to persistence-as-a-serviceGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage	Persistence (TA0003)		Stub
Create new local user	LinuxWindows	Commando Cat campaign	Persistence (TA0003)		Stub
Create or modify cloud key		From refresh token theft to global admin	Persistence (TA0003)Credential Access (TA0006)		Stub
Create or modify firewall or security group rules		Cosmic Wolf cloud activityDangerDev SES abuse incidentFrom password reset to data exfiltrationScattered Spider targeting GCP environmentEC2 Grouper campaign	Defense Evasion (TA0005)		Stub
Create SSH backdoor		SilentBob cryptomining campaignQubitstrike Crypto Mining and Rootkit CampaignCommando Cat campaignCRYSTALRAY: threat actors exploiting OSS toolsScattered Spider targeting GCP environmentOperation WindigoGelsemium’s Shift to Linux Malware with WolfsBane and FireWoodPlague PAM-Based Backdoor for LinuxDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemseBPF Rootkit Targeting AWS and Linux Environments	Persistence (TA0003)		Stub
Credential compromise via Infostealer infection		Otelier data breach			Not started
Credential harvesting from code repository	CI/CD	SIM-Swap to Data Leak on Dark WebEleKtra-LeakSisense breachRabbit AI exposed keys in codeMercedes-Benz source code exposureShinyHunters Ransomware Targeting Cloud Environmentstj-actions/changed-files supply chain attackZapier data breachxAI leaked API keyGhostAction campaignShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing Malware	Credential Access (TA0006)		Stub
Credential stuffing	CloudLinux	Fast Company incidentNew Relic incident (November 2023)	Initial Access (TA0001)		Stub
Credential theft		SilentBob cryptomining campaignQubitstrike Crypto Mining and Rootkit CampaignLAPSUS$ campaignsFBot toolkit targets cloud environmentsCommando Cat campaignFrom S3 bucket to Jenkins credential dumpAffirmed Networks breachLLMjacking via Laravel exploitationAtlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2024)CRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentShinyHunters Ransomware Targeting Cloud EnvironmentsExtortion Campaign Exploiting Exposed Environment VariableAPT29 Targeting Zimbra and TeamCity ServersEarth Simnavaz (APT34) Targeting UAE and Gulf RegionsUNC5820 exploiting FortiManager flawBrowserStack Data BreachDropbox Github breachMozi Botnet Using AndroxGh0st Toolkit to Target Cloud EnvironmentsSharePoint Vulnerability Exploited in-the-WildEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityVolkswagen data leak through Spring Boot Actuator misconfigurationPhishing campaign leading to Azure account takeoverStorm-0501 attacking hybrid environments with ransomwareBapak Exploiting Stolen Cloud Access KeysTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationRevivalStone Campaign by WinntiZapier data breachWeaver Ant data exfiltration campaignAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceGrafana GitHub Action attempted supply chain attackRspack supply chain attackUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignAzure Account Hijack via Stolen TokensAWS CodeBuild Vulnerability Allows Build Process Secrets ExtractionUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageCompromised Salesloft Drift Tokens Enable Data Theft Across IntegrationsGhostAction campaignShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareBRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal SectorsIIS Backdoor Exploiting Exposed ASP.NET Machine Keys	Credential Access (TA0006)		Stub
Cron persistence		From PHP exploitation to AWS lateral movementCoinStomp campaignFrom PHP vuln to Sliver execution via cronDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingUNC5174 Linux Espionage Campaign	Persistence (TA0003)		Stub
Dangling DNS takeover	Network	fsevents supply chain attackMasterCard Fixes Five-Year-Old DNS Typo MisconfigurationCDC dangling domain hijack	Resource Development (TA0042)		Stub
Data exfiltration from cloud storage		S3 data exfiltrationS3 ransomware scam			Stub
Database ransomware	Ransomware	DarkRadiation campaign	Impact (TA0040)		Stub
DCSync attack		Horde Panda targeting South Asian telecommunications provider			Not started
DDoS attack		REF6138 campaignLangflow Vulnerability Exploited to Deliver Flodrix Botnet			Not started
Delete compute snapshot		Scattered Spider targeting GCP environment			Not started
Direct Kernel object manipulation					Not started
Disable anti-virus		UNC2165 Targets Hybrid Environments with Ransomware			Not started
Disable logging	Cloud	Ubiquiti incidentScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)Cloud lateral movement via Citrix cookieAPT29 targeting Microsoft 365	Defense Evasion (TA0005)		Stub
Discover origin IP of fronted domain	Network	Fast Company incident	Discovery (TA0007)		Stub
Disk Wipe		DarkRadiation campaign	Impact (TA0040)		Stub
DLL search order hijacking			Execution (TA0002)		Stub
DLL Side-Loading		Earth Kasha’s Campaign Exploiting Fortinet VulnerabilityEarth Preta’s Campaign Abusing MAVInject to Bypass Detection			Not started
DNS tunneling		Msupedge Backdoor Targeting Taiwanese UniversityeBPF Rootkit Targeting AWS and Linux Environments			Not started
DNS-over-HTTPS (DoH)		Denonia campaign	Command and Control (TA0011)		Stub
Domain registration abuse		DangerDev SES abuse incident			Stub
EDR whitelisting		Smishing into Entra onto VMWare ransomware			Not started
Email C2		New Relic incident (November 2023)			Stub
Email server hijacking	Supply Chain	Cyber Toufan Linux destruction	Impact (TA0040)	Microsoft Exchange	Stub
Erase logs	Cloud	Cloud lateral movement via Citrix cookieAWS Breach at a SaaS CompanyIIS Backdoor Exploiting Exposed ASP.NET Machine Keys	Defense Evasion (TA0005)		Stub
Escape to host via cgroups release_agent	Linux	Gin Docker cryptojacking campaign	Privilege Escalation (TA0004)		Stub
Evasive username patterns		DangerDev SES abuse incident			Stub
Execute Command on VM using Custom Script Extension			Execution (TA0002)		Stub
Exfiltration via AWS DataSync	Cloud	Muddled Libra campaigns (2024)	Exfiltration (TA0010)		Stub
Exfiltration via AWS Transfer	Cloud	Muddled Libra campaigns (2024)	Exfiltration (TA0010)		Stub
Exploiting BPF load to escape to host	K8s		Privilege Escalation (TA0004)		Stub
Exploiting host mount to escape to host	K8s	Kiss-A-Dog campaignDoki cryptojacking campaign	Privilege Escalation (TA0004)		Stub
Export disk via SAS URL	Cloud		Exfiltration (TA0010)		Stub
Exposed ComfyUI abuse		ComfyUI exploitation campaign			Not started
Exposed environment config abuse		DepositFiles exposed config fileAndroxGh0st usage (2024)	Initial Access (TA0001)		Stub
Exposed git config files abuse		EMERALDWHALE Attacks Targeting Exposed Git Config FilesGame Freak data leak	Credential Access (TA0006)Reconnaissance (TA0043)		Stub
Exposed resource abuse					Not started
Exposed resource abuse		AWS Network Exploitation and Ransomware DetonationGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access BrokerageeBPF Rootkit Targeting AWS and Linux Environments			Not started
Extract credentials from resource tags	Cloud		Credential Access (TA0006)Lateral Movement (TA0008)		Stub
FTP access		Meow database server campaign	Initial Access (TA0001)		Stub
Gift card fraud		Atlas Lion phishing campaign			Not started
Git commit timestamp forgery		Node.js repository CI/CD vulnerable to RCE			Not started
Global socket communication	Network	Commando Cat campaign	Command and Control (TA0011)		Stub
IAM privilege escalation	CloudAuthentication		Privilege Escalation (TA0004)		Stub
IIS native module malware		Larva-25003: IIS Native Module Malware Used in Targeted Web Server AttacksIIS Backdoor Exploiting Exposed ASP.NET Machine Keys			Not started
Image dependency confusion	Supply ChainK8s		Initial Access (TA0001)		Stub
IMDS abuse	Cloud	ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)SilentBob cryptomining campaignFrom PHP exploitation to AWS lateral movementMisconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsSQL Server to cloud lateral movementFrom PHP vuln to Sliver execution via cronFrom web app exploitation to Chisel tunnelingCommando Cat campaignHugging Face cross-tenant accessUS DoD NIPRNet access via Atlassian SSRFGENESIS PANDA's Cloud Intrusions: Persistent Control Plane Exploitation and Access Brokerage	Credential Access (TA0006)		Featured
Impersonate GCP Service Accounts			Privilege Escalation (TA0004)		Stub
In-band signaling					Not started
Intune abuse		Stealing the LIGHTSHOW	Execution (TA0002)Persistence (TA0003)		Stub
Jira ScriptRunner abuse		Cloudflare incident following Okta breach			Stub
Jupyter Notebook misconfig abuse	App Misconfig.	Jupyter Notebook cred harvesting campaignMeow Jupyter Notebook campaignPanamorfi campaignSports Piracy Exploiting Misconfigured Jupyter ServersExposed Jupyter Notebooks Targeted for Cryptomining	Initial Access (TA0001)Privilege Escalation (TA0004)	Jupyter Notebook	Stub
Jupyter Notebook ransomware	Ransomware		Impact (TA0040)	Jupyter Notebook	Stub
K8s anonymous auth abuse	K8sAuthentication	Dero cryptojacking targeting K8sDERO cryptojacking campaign (2024)	Initial Access (TA0001)	Kubernetes	Stub
Lambda persistence	Cloud		Persistence (TA0003)	AWS Lambda	Stub
Launch new cloud resources		DangerDev SES abuse incidentSmishing into Entra onto VMWare ransomwareFrom password reset to data exfiltrationScattered Spider targeting GCP environment			Stub
Linux fileless malware	Linux	PHP Targeted with Glutton backdoorCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining	Persistence (TA0003)		Stub
LLM Prompt Injection	AI/ML		Initial Access (TA0001)		Stub
LLMjacking		LLMjacking via Laravel exploitationScylla LLMJacking campaignLLM Hijacking Targeting AWS			Stub
Local privilege escalation via vulnerability exploitation		BORN Group supply chain attack			Not started
LOLBin abuse	Windows	Peach Sandstorm targeting AzureWidespread TeamCity exploitation (March ‘24)	Defense Evasion (TA0005)		Stub
LSASS dumping	Windows	Storm-0558 phishing campaignsUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source Tools	Credential Access (TA0006)Privilege Escalation (TA0004)		Stub
Malicious AI model	AI/ML	Hugging Face cross-tenant access	ML Attack Staging (AML.TA0001)		Stub
Malicious pull request submission		AWS CodeBuild Vulnerability Allows Build Process Secrets Extraction			Not started
Malicious Terraform provider or module	Supply ChainCloud		Initial Access (TA0001)		Stub
Malvertising					Not started
MFA bypass		CircleCI incidentTwilio incidentTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsFrom stolen cloud key to persistence-as-a-serviceAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPN	Initial Access (TA0001)		Stub
MFA enrollment	Authentication	APT29 targeting Microsoft 365Atlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2023)Scattered Spider targeting Azure environmentPhishing campaign leading to Azure account takeoverAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceAzure Account Hijack via Stolen Tokens	Persistence (TA0003)		Stub
MFA prompt spam	AuthenticationSocial Eng.		Initial Access (TA0001)		Stub
Misconfigured Apache Hadoop abuse	App Misconfig.	Lucifer Botnet targeting HadoopRedis, Hadoop, and Docker exploitationDreambus campaign (2021)		Apache Hadoop	Stub
Misconfigured Argo abuse	App Misconfig.		Initial Access (TA0001)	Argo CD	Stub
Misconfigured Consul abuse	App Misconfig.	Qubitstrike Crypto Mining and Rootkit CampaignDreambus campaign (2021)	Initial Access (TA0001)	Hashicorp Consul	Stub
Misconfigured DB abuse	App Misconfig.	Meow database server campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for Cryptomining	Initial Access (TA0001)	PostgreSQL	Stub
Misconfigured Docker abuse	App Misconfig.	Redis, Hadoop, and Docker exploitationKinsing campaigns (2020)TeamTNT’s Docker Gatling Gun CampaignGafgyt Malware Targeting Misconfigured Docker ServersDocker Swarm and K8s cryptojacking campaign	Initial Access (TA0001)	Docker	Stub
Misconfigured Gitea Abuse	App Misconfig.	Cryptojacking Campaign Targets Misconfigured DevOps Tools	Initial Access (TA0001)Privilege Escalation (TA0004)	Gitea	Finalized
Misconfigured GitHub Action abuse		Grafana GitHub Action attempted supply chain attackGhostAction campaign			Not started
Misconfigured GitHub Runner abuse		Backdoored self-hosted GitHub Runner			Not started
Misconfigured KubeFlow abuse	App Misconfig.K8s		Initial Access (TA0001)	KubeFlow	Stub
Misconfigured Nomad abuse		Cryptojacking Campaign Targets Misconfigured DevOps Tools			Not started
Misconfigured OIDC service account abuse	CloudCI/CD		Initial Access (TA0001)Credential Access (TA0006)		Featured
Misconfigured PostgreSQL abuse		Kinsing campaigns (2023-2024)Dreambus campaign (2021)PG_MEM Malware Exploiting Misconfigured PostreSQL InstancesSoco404 Cryptomining Campaign Exploits PostgreSQL and Cloud Misconfigurations			Not started
Misconfigured Power Pages abuse	Cloud		Exfiltration (TA0010)	Microsoft Power Pages	Stub
Misconfigured Redis abuse	App Misconfig.	P2PInfect campaignSkidMap targeting RedisMigo cryptominer targeting RedisRedis, Hadoop, and Docker exploitationHeadCrab campaignDreambus campaign (2021)RedisRaider Linux Cryptojacking Campaign Targets Redis Servers	Initial Access (TA0001)	Redis	Stub
Misconfigured Selenium Grid abuse	App Misconfig.	SeleniumGreed: Threat actors exploit exposed Selenium Grid services for CryptominingCampaign targeting Selenium Grid for cryptomining	Initial Access (TA0001)	Selenium Grid	Stub
Misconfigured SSH abuse	LinuxOS Misconfig.NetworkAuthentication	ChinaZ campaignsDiicot Campaign Targeting Linux Environments	Initial Access (TA0001)Lateral Movement (TA0008)		Featured
Misconfigured WebLogic abuse		Hadooken Malware Targeting Weblogic Servers			Not started
Misconfigured Wordpress abuse	App Misconfig.	Meson Network cryptojacking campaign	Initial Access (TA0001)	WordPress	Stub
Modify compute startup script		Scattered Spider targeting GCP environment			Not started
Modify existing IAM user or role	Cloud	DangerDev SES abuse incidentFrom stolen cloud key to persistence-as-a-service	Persistence (TA0003)		Stub
Modify VPC / subnet / security group configuration	Cloud		Persistence (TA0003)		Stub
Network lateral movement		CRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityAPT28 Targeting Print Spooler Vulnerability for GooseEgg DeploymentBORN Group supply chain attackHorde Panda targeting South Asian telecommunications provider SharePoint Vulnerability Exploited in-the-WildDocker Swarm and K8s cryptojacking campaignCampaign targeting exposed FortiGate firewall management interfacesRevivalStone Campaign by WinntiBPFDoor’s Hidden Controller Targets AMEA SectorsAWS Breach at a SaaS CompanyUTG-Q-015 Exploits 0-Days for Espionage in AsiaUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignAWS Data Exfiltration and Attempted Ransomware			Not started
OAuth app creation		OAuth applications to deploy VMs for cryptominingMicrosoft email exfiltration by Nobelium	Persistence (TA0003)		Stub
OAuth app hijack		OAuth applications to deploy VMs for cryptominingMicrosoft email exfiltration by Nobelium	Persistence (TA0003)		Stub
On-prem to cloud lateral movement		From social engineering to Lambda modificationSilk Typhoon Targeting IT and Cloud ApplicationsStorm-0501 Deploys Cloud-Based Ransomware			Not started
OS password reset		Scattered Spider targeting GCP environment			Not started
OverPass-The-Hash		Cleo Vulnerabilities Targeted by Cl0p Ransomware			Not started
Package dependency confusion	Supply ChainCI/CD	Multiple organizations vulnerable to dependency confusionIvanti supply chain attack via compromised libraryPyTorch-nightly torchtriton dependency compromise	Initial Access (TA0001)Execution (TA0002)	npmPyPI	Finalized
Package hijacking		Package hijacking redteam opNx Package Supply Chain Compromise Delivers Data-Stealing Malware	Initial Access (TA0001)		Stub
Package Starjacking		Cloud tools imitation campaign	Initial Access (TA0001)		Stub
Package typosquatting		Cloud tools imitation campaignRspack supply chain attack	Initial Access (TA0001)		Stub
Password bruteforcing		Trigona targeting MSSQL serversGoBruteforcer campaignFBot toolkit targets cloud environmentsRE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operatorsRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoTargetCompany Abusing MSSQL Servers for RansomwareGafgyt Malware Targeting Cloud EnvironmentsPG_MEM Malware Exploiting Misconfigured PostreSQL InstancesPrometei campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingUTG-Q-015 Exploits 0-Days for Espionage in AsiaSonicWall MySonicWall Cloud Backup File Security Incident	Initial Access (TA0001)		Stub
Password spraying	CredentialsAuthentication	Peach Sandstorm targeting AzureMicrosoft email exfiltration by NobeliumSmishing into Entra onto VMWare ransomwareAPT29 Targeting Zimbra and TeamCity ServersUSAID cryptojacking incidentPassword spray attack leads to containers being used for cryptominingTeamFiltration Account Takeover Campaign	Credential Access (TA0006)Initial Access (TA0001)		Stub
Persistence via AI service backend	CloudAI/ML		Persistence (TA0003)		Stub
Persistence via udev					Not started
Persistence via VM user data	Cloud		Persistence (TA0003)		Stub
Phishing		Storm-0558 phishing campaignsRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoGitHub certificate theft incidentAtlas Lion phishing campaignPersonal local drive to AWS ransomwareScattered Spider SaaS targeting (2023)RomCom exploiting Word vulnerability in campaign targeting government entitiesMicrosoft Smartscreen Vulnerability Exploited by Water HydraWindows SmartScreen vulnerability exploited by Mispadu trojanScattered Spider Abuses Cloud Management AgentTriad Nexus: Funnull malicious campaignDropbox Github breachEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityFrom social engineering to Lambda modificationBlack Basta Exploiting Vulnerabilities in Multiple ProductsKiss-A-Dog campaignUTG-Q-015 Exploits 0-Days for Espionage in AsiaSupply Chain Attack on npm Packages via Maintainer Phishing	Initial Access (TA0001)		Stub
Poison AI training data	AI/ML		Resource Development (TA0042)Persistence (TA0003)		Stub
Policy simulation		DangerDev SES abuse incident			Stub
Process injection		Earth Preta’s Campaign Abusing MAVInject to Bypass DetectionOperation LongFangPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments			Not started
Propagation via Kubelet	K8s		Lateral Movement (TA0008)	Kubernetes	Stub
Proxyjacking		Labrat GitLab campaign9hits Docker campaignCampaign targeting Selenium Grid for cryptomining	Impact (TA0040)		Stub
Public exposure abuse	Cloud	Reuters leaky ElasticSearch DBScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)K8s targeted via OpenMetadata exploitationExploitation in the wild of Aviatrix Controller RCEOperation LongFang	Initial Access (TA0001)		Stub
Public malicious container image		ECS Fargate cryptojackingTeamTNT’s Docker Gatling Gun CampaignMulti-Layered Cryptojacking via Docker			Stub
pwn request	CI/CD		Initial Access (TA0001)	GitHub	Stub
Redis-as-a-backdoor	LinuxCloud	Kiss-A-Dog campaign	Persistence (TA0003)	Redis	Stub
Refresh token compromise	Authentication	From refresh token theft to global admin	Credential Access (TA0006)		Stub
Register self-hosted runner	CI/CD		Privilege Escalation (TA0004)	GitHub	Stub
Registry secret scanning	Credentials	Python infrastructure leaked access token	Reconnaissance (TA0043)Credential Access (TA0006)		Stub
Remotely execute commands or scripts on a VM		DarkRadiation campaign	Execution (TA0002)		Stub
Repo encryption for extortion		Gitloker campaign			Stub
Repojacking	Supply Chain		Initial Access (TA0001)		Stub
Repository webhook abuse	CI/CDApp Misconfig.Network		Initial Access (TA0001)	GitHubTeamCityJenkins	Stub
Resource enumeration		AWS Breach at a SaaS CompanyTeamFiltration Account Takeover Campaign			Not started
Resource injection in CloudFormation template	Cloud		Execution (TA0002)	AWS CloudFormation	Stub
Retrieve EC2 Password Data	Cloud		Credential Access (TA0006)		Stub
Reverse DNS manipulation		ByBit hack			Not started
Reverse shell		CoinStomp campaignCloud lateral movement via Citrix cookieFrom code commit to production takeoverSilent Skimmer Attacks Exploiting Telerik UI to Steal Payment DataDiicot Campaign Targeting Linux EnvironmentsMalicious AI Models Bypass Picklescan DetectionBPFDoor’s Hidden Controller Targets AMEA SectorsIvanti EPMM RCE Vulnerability Chain Exploited in the WildUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign	Execution (TA0002)		Stub
Rootkit - LD_PRELOAD		DarkRadiation campaign	Persistence (TA0003)Execution (TA0002)Privilege Escalation (TA0004)Defense Evasion (TA0005)		Stub
Script injection into CICD workflow	Supply ChainCI/CD	Ultralytics compromiseKong image compromise	Initial Access (TA0001)	GitHubGitLab	Not started
Serial port abuse		SIM swapping to serial port abuseScattered Spider SaaS targeting (2023)			Stub
Serverless execution	Cloud	Denonia campaign	Execution (TA0002)	AWS Lambda	Stub
SES abuse for spam or phishing		DangerDev SES abuse incidentJavaGhost SES abuse	Impact (TA0040)		Stub
SES enumeration		From stolen cloud key to persistence-as-a-service			Not started
Session hijacking		MITRE breach via Ivanti Connect Secure			Stub
Share compromised resources to an external account	Cloud	DangerDev SES abuse incident	Exfiltration (TA0010)Persistence (TA0003)		Stub
SIM swap scam		SIM-Swap to Data Leak on Dark WebScattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)	Initial Access (TA0001)		Stub
Slopsquatting	Supply Chain		Initial Access (TA0001)Resource Development (TA0042)	npmPyPI	Stub
Smishing (SMS phishing)		Atlas Lion phishing campaignSmishing into Entra onto VMWare ransomwareScattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)			Stub
SNS abuse for spam or phishing	Cloud			Amazon SNS	Stub
Sockpuppet infiltration	Social Eng.	XZ Utils backdoor incident	Initial Access (TA0001)		Stub
Spearphishing		Retool hackEarth Preta’s Campaign Abusing MAVInject to Bypass Detection	Initial Access (TA0001)		Stub
Spring Boot Actuator abuse	App Misconfig.		Initial Access (TA0001)	Spring Boot	Stub
SQL commands	App Misconfig.	SQL Server to cloud lateral movement	Execution (TA0002)	MySQLMicrosoft SQL Server	Stub
SQL injection	App Misconfig.	GambleForce SQL injection campaignSQL Server to cloud lateral movementRedJuliett Exploiting VPN and Firewall VulnerabilitiesBoolka campaignRevivalStone Campaign by Winnti	Initial Access (TA0001)	MySQLMicrosoft SQL Server	Stub
SSH bruteforcing		Gafgyt Malware Targeting Cloud EnvironmentsOperation VelesDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignDiicot Campaign Targeting Linux EnvironmentsLinux SSH Servers Compromised to Deploy Proxies			Not started
SSH key compromise		BORN Group supply chain attack			Not started
SSH propagation		Dreambus campaign (2021)S3 data exfiltrationSSH-Snake Confluence targeting campaign	Lateral Movement (TA0008)		Stub
SSM document phishing	Social Eng.		Initial Access (TA0001)		Stub
SSM misconfiguration abuse		Cyberoam breach (2018)			Not started
SSM orchestration abuse		From PHP exploitation to AWS lateral movement			Stub
SSM-facilitated remote desktop connection	Cloud		Lateral Movement (TA0008)		Stub
SSRF		Misconfigured firewall to cryptojacking botnetCapital One incident (March 2019)UNC2903 campaignsUS DoD NIPRNet access via Atlassian SSRF	Initial Access (TA0001)		Stub
Steal EC2 Instance Credentials	Cloud	SilentBob cryptomining campaign	Credential Access (TA0006)		Stub
Storage Denial of Wallet amplification attack	CloudNetwork		Impact (TA0040)	S3 Bucket	Stub
Subdomain takeover		Krpano XSS exploitation campaign			Not started
Supply Chain Compromise	Supply Chain	Triad Nexus: Funnull malicious campaignSupply Chain Attack on lottie-playerUltralytics compromiseKong image compromiseDogWifTool supply chain attackMalicious AI Models Bypass Picklescan DetectionSupply Chain Compromise of rand-user-agent: Obfuscated RAT with C2 Communication and File ExfiltrationSolana web3.js Supply Chain AttackDragonForce Exploits SimpleHelp Vulnerabilities in Ransomware CampaignNPM Supply Chain Attack Compromises 16 Popular React Native and GlueStack PackagesNx Package Supply Chain Compromise Delivers Data-Stealing MalwareQix npm package supply chain compromiseShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareUNC3379 npm supply chain attacksSupply Chain Risk in Axis Autodesk Revit Plugin Due to Exposed Azure Storage Credentials	Initial Access (TA0001)		Not started
Thread impersonation to escape to host	Linux	Siloscape campaign	Privilege Escalation (TA0004)		Stub
Timestomping		CoinStomp campaignFrom WSO2 RCE to SSH lateral movement	Defense Evasion (TA0005)		Stub
Token forgery		Microsoft signing key compromiseIn-Memory IIS Attacks via View State Deserialization	Initial Access (TA0001)Credential Access (TA0006)		Stub
TOR anonymization		Peach Sandstorm targeting AzureMicrosoft signing key compromiseCyber Toufan Linux destructionSiloscape campaign	Command and Control (TA0011)Defense Evasion (TA0005)		Stub
Traffic routing through residential proxy network	Network	Microsoft email exfiltration by Nobelium	Defense Evasion (TA0005)		Stub
Trojanized DLLs		Weaver Ant data exfiltration campaign			Not started
Trusted technologies abuse		State-Sponsored APT Abuse Visual Studio Code in Attacks			Not started
UPX packing		Campaign targeting Selenium Grid for cryptominingDiicot Campaign Targeting Exposed SSHMexals cryptojacking campaignCPU_HU: Malicious Campaign Targeting Misconfigured PostgreSQL Servers for CryptominingExposed Jupyter Notebooks Targeted for Cryptomining			Not started
Use DNS for exfiltration	Cloud	SQL Server to cloud lateral movement	Exfiltration (TA0010)		Stub
Valid creds abuse		Rollbar hackSnowflake compromised creds abuse campaignRansomware operators exploit ESXi vulnerabilityScattered Spider Abuses Cloud Management AgentShinyHunters Ransomware Targeting Cloud EnvironmentsExtortion Campaign Exploiting Exposed Environment VariableStorm-0501 Targeting Hybrid Environments with RansomwareVeeam Vulnerability Exploited by Akira and Fog RansomwareDropbox Github breachCleo Vulnerabilities Targeted by Cl0p RansomwareVolkswagen data leak through Spring Boot Actuator misconfigurationPhishing campaign leading to Azure account takeoverBapak Exploiting Stolen Cloud Access KeysTRIPLESTRENGTH: Cloud Account Hijacking and Cryptocurrency Mining via Stolen CredentialsCode Injection Attacks Exploiting Publicly Disclosed ASP.NET KeysAtlas Lion Campaign Exploits Device Enrollment and MFA for PersistenceAWS Breach at a SaaS CompanyCompromised cloud keys exfiltrated to bucketAzure Account Hijack via Stolen TokensAWS Data Exfiltration and Attempted RansomwareCompromised Salesloft Drift Tokens Enable Data Theft Across IntegrationsShai-Hulud: Ongoing Package Supply Chain Compromise Delivering Data-Stealing MalwareBRICKSTORM Espionage Backdoor Targeting U.S. Tech and Legal SectorsPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsTata Motors Hardcoded AWS Keys and API Tokens Exposed	Initial Access (TA0001)Credential Access (TA0006)		Stub
Vishing		Scattered Spider targeting Azure environment			Not started
VM extension abuse		SIM swapping to serial port abuse	Privilege Escalation (TA0004)		Stub
VPN anonymization		New Relic incident (November 2023)AWS Breach at a SaaS CompanyUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” Campaign			Stub
Vulnerability exploitation	Network	Apache server Cryptojacking with Cobalt StrikeProphet Spider campaignAndariel exploiting Apache ActiveMQGoTitan ActiveMQ campaignLAPSUS$ campaignsP2PInfect campaign8820 Gang targeting WebLogicTrigona targeting MSSQL serversRE#TURGENCE MSSQL Server RansomOpMimic used by Trigona operatorsLucifer Botnet targeting HadoopC3Pool mining via Confluence vulnerabilityz0Miner targeting WebLogic serversMeson Network cryptojacking campaignShadowSyndicate aiohttp exploitationUNC5174 ScreenConnect and F5 BIG-IP exploitationRUBYCARP: Botnet Exploiting Vulnerabilities for CryptoK8s targeted via OpenMetadata exploitationKinsing campaigns (2020)Redigo campaignTargetCompany Abusing MSSQL Servers for RansomwareKinsing targeting cloud serversRedTail Cryptomining campaign Muhstik campaignRedJuliett Exploiting VPN and Firewall Vulnerabilities8220 Gang Exploiting WebLogic Vulnerabilities for CryptojackingCRYSTALRAY: threat actors exploiting OSS toolsRansomware operators exploit ESXi vulnerabilityDama webshell deployment via ThinkPHP exploitationRomCom exploiting Word vulnerability in campaign targeting government entitiesMicrosoft Smartscreen Vulnerability Exploited by Water HydraWindows SmartScreen vulnerability exploited by Mispadu trojanArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0dayAPT28 Targeting Print Spooler Vulnerability for GooseEgg DeploymentRCE Vulnerability in PHP CGI Exploited by TellYouThePassMirai Botnet Exploiting Apache OFBiz VulnerabilityGodzilla Backdoor Exploiting Confluence VulnerabilityDragonRank Targeting IIS Web ServersUNC1860 Attacks Targeting the Middle EastStorm-0501 Targeting Hybrid Environments with Ransomwareperfctl Malware Targeting LinuxVeeam Vulnerability Exploited by Akira and Fog RansomwareAPT29 Targeting Zimbra and TeamCity ServersEarth Simnavaz (APT34) Targeting UAE and Gulf RegionsUNC5820 exploiting FortiManager flawBrowserStack Data BreachMozi Botnet Using AndroxGh0st Toolkit to Target Cloud EnvironmentsPrometei campaignRCE Vulnerability in PAN-OS Exploited in-the-WildBrazenBamboo Weaponizes FortiClient Vulnerability to Steal CredentialsEarth Kasha’s Campaign Exploiting Fortinet VulnerabilityState-Sponsored APT Abuse Visual Studio Code in AttacksMauri Ransomware Exploiting Apache ActiveMQ Cleo Vulnerabilities Targeted by Cl0p RansomwareByte Federal Data Breach via Gitlab VulnerabilityRCE Vulnerability in Apache Struts Targeted by AttackersUS Treasury breach via BeyondTrust supply chain attackExploitation in the wild of Aviatrix Controller RCECampaign targeting exposed FortiGate firewall management interfacesSeashell Blizzard Subgroup's Campaign Exploiting Vulnerabilities for Data ExfiltrationBlack Basta Exploiting Vulnerabilities in Multiple ProductsSilk Typhoon Targeting IT and Cloud ApplicationsPHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangOracle Cloud Potential Supply Chain BreachKrpano XSS exploitation campaignCritical Ivanti Connect Secure Vulnerability Exploited by China-linked ActorSAP NetWeaver Visual Composer exploitation campaignMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated CampaignIvanti EPMM RCE Vulnerability Chain Exploited in the WildCoordinated One-Day Cloud Scanning Operation Targets 75 Exposure PointsDragonForce Exploits SimpleHelp Vulnerabilities in Ransomware CampaignEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesUTG-Q-015 Exploits 0-Days for Espionage in AsiaLangflow Vulnerability Exploited to Deliver Flodrix BotnetAttacks on Korean IIS & Linux ServersUNC5174 Exploits Ivanti CSA Zero-Days in “Houken” CampaignLinuxsys Cryptominer CampaignMimo Targets Magento, Docker, and Cloud Environments0day Vulnerability in Microsoft Sharepoint Exploited in-the-WildAWS CodeBuild Vulnerability Allows Build Process Secrets ExtractionAkira Ransomware Targeting Critical Vulnerability in SonicWall SSLVPNUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsAuto-Color Malware Exploits SAP Vulnerability for Linux BackdoorWarlock Ransomware Exploiting Sharepoint Vulnerabilities Silk Typhoon Exploiting Trusted Relationships for Cloud Environments CompromiseStorm-0501 Deploys Cloud-Based RansomwareDripDropper Malware Exploits Patched Apache ActiveMQ for Persistence on Cloud Linux SystemsRenewed "ArcaneDoor" Campaign Targeting 0-day Vulnerabilities in Cisco ASACl0p Extortion Campaign Claims Theft via Oracle E-Business SuiteeBPF Rootkit Targeting AWS and Linux EnvironmentsPassiveNeuron Campaign: Espionage Campaign Targeting Windows Server EnvironmentsTata Motors Hardcoded AWS Keys and API Tokens Exposed	Initial Access (TA0001)Privilege Escalation (TA0004)		Stub
Webshell deployment		MITRE breach via Ivanti Connect SecureEarth Baku campaignUNC1860 Attacks Targeting the Middle EastSilent Skimmer Attacks Exploiting Telerik UI to Steal Payment DataSharePoint Vulnerability Exploited in-the-WildGelsemium’s Shift to Linux Malware with WolfsBane and FireWoodState-Sponsored APT Abuse Visual Studio Code in AttacksRevivalStone Campaign by WinntiPHP-CGI Vulnerability Exploited in Attacks Targeting JapanOperation LongFangWeaver Ant data exfiltration campaignSAP NetWeaver Visual Composer exploitation campaignLarva-25003: IIS Native Module Malware Used in Targeted Web Server AttacksMimo Exploits Craft CMS RCE to Deploy Cryptominer and Proxyware in Coordinated CampaignEarth Lamia Custom Toolkit Targets Multiple Sectors via Web VulnerabilitiesAttacks on Korean IIS & Linux ServersIn-Memory IIS Attacks via View State Deserialization0day Vulnerability in Microsoft Sharepoint Exploited in-the-WildUAT-7237 Targets Taiwanese Web Infrastructure Using Customized Open-Source ToolsWarlock Ransomware Exploiting Sharepoint Vulnerabilities Silk Typhoon Exploiting Trusted Relationships for Cloud Environments CompromiseStorm-0501 Deploys Cloud-Based RansomwarePassiveNeuron Campaign: Espionage Campaign Targeting Windows Server Environments			Stub
XML injection		Krpano XSS exploitation campaign			Not started