Techniques

Name	Tags	Incidents	MITRE Tactic	Tech	Status
Abuse access to existing KMS key	Cloud		Credential Access (TA0006)		Stub
Abuse naming patterns to guess resource IDs or fingerprint resources	Cloud		Discovery (TA0007)		Stub
Abuse of cross-job access in CI/CD system	CI/CD				Stub
Abuse trust and privileges across accounts	Cloud	LAPSUS$ campaigns	Lateral Movement (TA0008)		Stub
Abusing exposed Docker socket	K8s	“Kiss-A-Dog” campaign OracleIV campaign	Initial Access (TA0001)	Docker	Stub
Add attacker-controlled IdP via ADFS access	AAD	APT29 targeting Microsoft 365	Lateral Movement (TA0008)		Stub
Appstream abuse	Cloud		Initial Access (TA0001)	AWS Appstream	Stub
Attach administrative role to account		DangerDev SES abuse incident From refresh token theft to global admin			Stub
Auth token signing via ADFS access	AAD	APT29 targeting Microsoft 365	Lateral Movement (TA0008)		Stub
Auth token signing via Golden SAML	AAD	APT29 targeting Microsoft 365 Solarigate: Solarwinds supply chain attack Peach Sandstorm Azure targeting	Lateral Movement (TA0008)Credential Access (TA0006)		Finalized
Azure AD abuse		Stealing the LIGHTSHOW			Stub
Azure Arc abuse	Cloud	Peach Sandstorm Azure targeting	Persistence (TA0003)Execution (TA0002)	Azure Arc	Stub
Azure Batch abuse	Cloud	Cryptojacking via Azure Batch		Azure Batch	Stub
Azure cross-tenant synchronization backdoor	CloudAAD		Persistence (TA0003)		Stub
Azure lateral movement via cross-tenant synchronization	CloudAAD		Lateral Movement (TA0008)		Stub
Azure Run Commands abuse		Scattered Spider Azure Run abuse	Execution (TA0002)		Stub
Backdoor AMI	Cloud		Initial Access (TA0001)		Stub
Backdoor Docker image	K8s	AmberSquid campaign	Initial Access (TA0001)	Docker	Stub
Backdoor IaC (StackSet, Terraform, etc.)	Cloud		Initial Access (TA0001)		Stub
Backdoor Lambda Layer	Cloud		Initial Access (TA0001)	AWS Lambda	Stub
Bring Your Own Vulnerable Driver	Windows	Agenda Ransomware Targets ESXi and vCenter Servers	Execution (TA0002)Privilege Escalation (TA0004)		Stub
Bucket / storage ransomware	CloudRansomware	BlackCat Azure Storage Account RansomOp	Impact (TA0040)		Stub
Bucket name squatting attack	Cloud		Initial Access (TA0001)		Stub
cAdvisor abuse	App Misconfig.		Reconnaissance (TA0043)Credential Access (TA0006)	cAdvisor	Stub
CI/CD system enumeration	CI/CD		Discovery (TA0007)		Stub
Cloud API enumeration	Cloud	Leaked long-lived AWS creds LAPSUS$ campaigns DangerDev SES abuse incident S3 ransomware following long-term key exposure Muddled Libra campaigns (2024) LLMjacking via Laravel exploitation	Reconnaissance (TA0043)		Stub
Cloud compute cryptojacking	CloudK8s	“Kiss-A-Dog” campaign ScarletEel campaign (Feb ‘23) RBAC Buster Misconfigured firewall to cryptojacking botnet ScarletEel campaign (July ‘23) EleKtra-Leak Labrat GitLab campaign AmberSquid campaign DangerDev SES abuse incident ECS Fargate cryptojacking	Impact (TA0040)		Featured
Cloud key compromise		Apple cloud key exposure BMW exposed cloud storage Zenlayer exposed database Football Australia exposed cloud key in website From social engineering to cryptocurrency theft			Stub
Cloud storage cryptojacking	Cloud		Impact (TA0040)		Finalized
Cloud-init persistence	Cloud		Persistence (TA0003)		Stub
Cluster anonymous access	K8s	RBAC Buster	Initial Access (TA0001)		Stub
Container enumeration	K8s	Commando Cat campaign	Discovery (TA0007)		Stub
Create an IAM Roles Anywhere trust anchor	Cloud		Initial Access (TA0001)		Stub
Create new application user		Cloudflare incident following Okta breach			Stub
Create new cloud user	Cloud	RBAC Buster SIM-Swap to Data Leak on Dark Web DangerDev SES abuse incident S3 data exfiltration Leaked long-lived AWS creds ScarletEel campaign (Feb ‘23) ScarletEel campaign (July ‘23) S3 ransomware following long-term key exposure	Persistence (TA0003)		Stub
Create new local user	LinuxWindows	Commando Cat campaign	Persistence (TA0003)		Stub
Create or modify cloud key		From refresh token theft to global admin	Persistence (TA0003)Credential Access (TA0006)		Stub
Create or modify firewall or security group rules		Cosmic Wolf cloud activity DangerDev SES abuse incident	Defense Evasion (TA0005)		Stub
Create SSH backdoor		SilentBob cryptomining campaign Qubitstrike Crypto Mining and Rootkit Campaign Commando Cat campaign	Persistence (TA0003)		Stub
Credential harvesting from code repository	CI/CD	SIM-Swap to Data Leak on Dark Web EleKtra-Leak Sisense breach	Credential Access (TA0006)		Stub
Credential stuffing	CloudLinux	Fast Company incident New Relic incident (November 2023)	Initial Access (TA0001)		Stub
Credential theft		SilentBob cryptomining campaign Qubitstrike Crypto Mining and Rootkit Campaign LAPSUS$ campaigns FBot toolkit targets cloud environments Commando Cat campaign From S3 bucket to Jenkins credential dump Affirmed Networks breach LLMjacking via Laravel exploitation	Credential Access (TA0006)		Stub
Cron persistence		From PHP exploitation to AWS lateral movement CoinStomp campaign From PHP vuln to Sliver execution via cron	Persistence (TA0003)		Stub
Dangling DNS takeover	Network	fsevents supply chain attack	Resource Development (TA0042)		Stub
Data exfiltration from cloud storage		S3 data exfiltration S3 ransomware scam			Stub
Database ransomware	Ransomware	DarkRadiation campaign	Impact (TA0040)		Stub
Disable logging	Cloud	Ubiquiti incident ScarletEel campaign (Feb ‘23) ScarletEel campaign (July ‘23) Cloud lateral movement via Citrix cookie APT29 targeting Microsoft 365	Defense Evasion (TA0005)		Stub
Discover origin IP of fronted domain	Network	Fast Company incident	Discovery (TA0007)		Stub
Disk Wipe		DarkRadiation campaign	Impact (TA0040)		Stub
DLL search order hijacking			Execution (TA0002)		Stub
DNS-over-HTTPS (DoH)		Denonia campaign	Command and Control (TA0011)		Stub
Domain registration abuse		DangerDev SES abuse incident			Stub
Email C2		New Relic incident (November 2023)			Stub
Email server hijacking	Supply Chain	Cyber Toufan Linux destruction	Impact (TA0040)	Microsoft Exchange	Stub
End-user compromise		CircleCI incident	Initial Access (TA0001)		Stub
Erase logs	Cloud	Cloud lateral movement via Citrix cookie	Defense Evasion (TA0005)		Stub
Escape to host via cgroups release_agent	Linux	Gin Docker cryptojacking campaign	Privilege Escalation (TA0004)		Stub
Evasive username patterns		DangerDev SES abuse incident			Stub
Execute Command on VM using Custom Script Extension			Execution (TA0002)		Stub
Exfiltration via AWS DataSync	Cloud	Muddled Libra campaigns (2024)	Exfiltration (TA0010)		Stub
Exfiltration via AWS Transfer	Cloud	Muddled Libra campaigns (2024)	Exfiltration (TA0010)		Stub
Exploiting BPF load to escape to host	K8s		Privilege Escalation (TA0004)		Stub
Exploiting host mount to escape to host	K8s	“Kiss-A-Dog” campaign Doki cryptojacking campaign	Privilege Escalation (TA0004)		Stub
Export disk via SAS URL	Cloud		Exfiltration (TA0010)		Stub
Exposed environment config abuse		DepositFiles exposed config file AndroxGh0st usage (2024)	Initial Access (TA0001)		Stub
Extract credentials from resource tags	Cloud		Credential Access (TA0006)Lateral Movement (TA0008)		Stub
FTP access		Meow database server campaign	Initial Access (TA0001)		Stub
Global socket communication	Network	Commando Cat campaign	Command and Control (TA0011)		Stub
Image dependency confusion	Supply ChainK8s		Initial Access (TA0001)		Stub
IMDS abuse	Cloud	ScarletEel campaign (Feb ‘23) ScarletEel campaign (July ‘23) SilentBob cryptomining campaign From PHP exploitation to AWS lateral movement Misconfigured firewall to cryptojacking botnet Capital One incident (March 2019) UNC2903 campaigns SQL Server to cloud lateral movement From PHP vuln to Sliver execution via cron From web app exploitation to Chisel tunneling Commando Cat campaign Hugging Face cross-tenant access US DoD NIPRNet access via Atlassian SSRF	Credential Access (TA0006)		Featured
Impersonate GCP Service Accounts			Privilege Escalation (TA0004)		Stub
Intune abuse		Stealing the LIGHTSHOW	Execution (TA0002)Persistence (TA0003)		Stub
Jira ScriptRunner abuse		Cloudflare incident following Okta breach			Stub
Jupyter Notebook misconfig abuse	App Misconfig.	Jupyter Notebook cred harvesting campaign Meow Jupyter Notebook campaign	Initial Access (TA0001)Privilege Escalation (TA0004)	Jupyter Notebook	Stub
Jupyter Notebook ransomware	Ransomware		Impact (TA0040)	Jupyter Notebook	Stub
K8s anonymous auth abuse	K8sAuthentication		Initial Access (TA0001)	K8s Worker Node	Stub
Lambda persistence	Cloud		Persistence (TA0003)	AWS Lambda	Stub
Launch new cloud resources		DangerDev SES abuse incident			Stub
Linux fileless malware	Linux		Persistence (TA0003)		Stub
LLM Prompt Injection	AI/ML		Initial Access (TA0001)		Stub
LLMjacking		LLMjacking via Laravel exploitation			Not started
LOLBin abuse	Windows	Peach Sandstorm Azure targeting Widespread TeamCity exploitation (March ‘24)	Defense Evasion (TA0005)		Stub
LSASS dumping		Storm-0558 phishing campaigns	Credential Access (TA0006)Privilege Escalation (TA0004)		Stub
Malicious AI model	AI/ML	Hugging Face cross-tenant access	ML Attack Staging (AML.TA0001)		Stub
Malicious Terraform provider or module	Supply ChainCloud		Initial Access (TA0001)		Stub
MFA bypass		CircleCI incident Twilio incident	Initial Access (TA0001)		Stub
MFA enrollment	Authentication	APT29 targeting Microsoft 365	Persistence (TA0003)		Stub
MFA prompt spam	AuthenticationSocial Eng.		Initial Access (TA0001)		Stub
Misconfigured Apache Hadoop abuse	App Misconfig.	Lucifer Botnet targeting Hadoop Redis, Hadoop, and Docker exploitation		Apache Hadoop	Stub
Misconfigured Argo abuse	App Misconfig.		Initial Access (TA0001)	Argo CD	Stub
Misconfigured Consul abuse	App Misconfig.	Qubitstrike Crypto Mining and Rootkit Campaign	Initial Access (TA0001)	Hashicorp Consul	Stub
Misconfigured DB abuse	App Misconfig.	Meow database server campaign	Initial Access (TA0001)	PostgreSQL	Stub
Misconfigured Docker abuse	App Misconfig.	Redis, Hadoop, and Docker exploitation Kinsing campaign (2020)	Initial Access (TA0001)	Docker	Stub
Misconfigured KubeFlow abuse	App Misconfig.K8s		Initial Access (TA0001)	KubeFlow	Stub
Misconfigured OIDC service account abuse	CloudCI/CD		Initial Access (TA0001)Credential Access (TA0006)		Featured
Misconfigured Redis abuse	App Misconfig.	P2PInfect campaign SkidMap targeting Redis Migo cryptominer targeting Redis Redis, Hadoop, and Docker exploitation HeadCrab campaign	Initial Access (TA0001)	Redis	Stub
Misconfigured SSH abuse	LinuxOS Misconfig.NetworkAuthentication	ChinaZ campaigns	Initial Access (TA0001)Lateral Movement (TA0008)		Featured
Misconfigured Wordpress abuse	App Misconfig.	Meson Network cryptojacking campaign	Initial Access (TA0001)		Stub
Modify existing IAM user or role	Cloud	DangerDev SES abuse incident	Persistence (TA0003)		Stub
Modify VPC / subnet / security group configuration	Cloud		Persistence (TA0003)		Stub
OAuth app creation		OAuth applications to deploy VMs for cryptomining Microsoft email exfiltration by Nobelium	Persistence (TA0003)		Stub
OAuth app hijack		OAuth applications to deploy VMs for cryptomining Microsoft email exfiltration by Nobelium	Persistence (TA0003)		Stub
Package dependency confusion	Supply ChainCI/CD	Ivanti supply chain attack via compromised library Multiple organizations vulnerable to dependency confusion	Initial Access (TA0001)	npm	Stub
Package hijacking		Package hijacking redteam op	Initial Access (TA0001)		Stub
Package Starjacking		Cloud tools imitation campaign	Initial Access (TA0001)		Stub
Package typosquatting		Cloud tools imitation campaign	Initial Access (TA0001)		Stub
Password bruteforcing		Trigona targeting MSSQL servers GoBruteforcer campaign FBot toolkit targets cloud environments RE#TURGENCE MSSQL Server RansomOp Mimic used by Trigona operators RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto TargetCompany Abusing MSSQL Servers for Ransomware	Initial Access (TA0001)		Stub
Password spraying	CredentialsAuthentication	Peach Sandstorm Azure targeting Microsoft email exfiltration by Nobelium	Credential Access (TA0006)Initial Access (TA0001)		Stub
Persistence via AI service backend	CloudAI/ML		Persistence (TA0003)		Stub
Persistence via VM user data	Cloud		Persistence (TA0003)		Stub
Phishing		Storm-0558 phishing campaigns RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto	Initial Access (TA0001)		Stub
Poison AI training data	AI/ML		Resource Development (TA0042)Persistence (TA0003)		Stub
Policy simulation		DangerDev SES abuse incident			Stub
Propagation via Kubelet	K8s		Lateral Movement (TA0008)	K8s Worker Node	Stub
Proxyjacking		Labrat GitLab campaign 9hits Docker campaign	Impact (TA0040)		Stub
Public exposure abuse	Cloud	Reuters leaky ElasticSearch DB ScarletEel campaign (Feb ‘23) ScarletEel campaign (July ‘23) Kubernetes Clusters Targeted in OpenMetadata Exploits	Initial Access (TA0001)		Stub
Public malicious container image		ECS Fargate cryptojacking			Stub
pwn request	CI/CD		Initial Access (TA0001)	GitHub	Stub
Redis-as-a-backdoor	LinuxCloud	“Kiss-A-Dog” campaign	Persistence (TA0003)	Redis	Stub
Refresh token compromise	Authentication	From refresh token theft to global admin	Credential Access (TA0006)		Stub
Remotely execute commands or scripts on a VM		DarkRadiation campaign	Execution (TA0002)		Stub
Repojacking	Supply Chain		Initial Access (TA0001)		Stub
Repository webhook abuse	CI/CDApp Misconfig.Network		Initial Access (TA0001)	GitHub TeamCity Jenkins	Stub
Resource injection in CloudFormation template	Cloud		Execution (TA0002)	AWS CloudFormation	Stub
Retrieve EC2 Password Data	Cloud		Credential Access (TA0006)		Stub
Reverse shell		CoinStomp campaign Cloud lateral movement via Citrix cookie From code commit to production takeover	Execution (TA0002)		Stub
Rootkit - LD_PRELOAD		DarkRadiation campaign	Persistence (TA0003)Execution (TA0002)Privilege Escalation (TA0004)Defense Evasion (TA0005)		Stub
Serial port abuse		SIM swapping to serial port abuse			Stub
Serverless execution	Cloud	Denonia campaign	Execution (TA0002)	AWS Lambda	Stub
SES abuse for spam or phishing		DangerDev SES abuse incident			Stub
Session hijacking		MITRE breach via Ivanti Connect Secure			Not started
Share compromised resources to an external account	Cloud	DangerDev SES abuse incident	Exfiltration (TA0010)Persistence (TA0003)		Stub
SIM swap scam		SIM-Swap to Data Leak on Dark Web	Initial Access (TA0001)		Stub
Smishing (SMS phishing)					Stub
SNS abuse for spam or phishing	Cloud			Amazon SNS	Stub
Sockpuppet infiltration	Social Eng.	XZ Utils backdoor incident	Initial Access (TA0001)		Stub
Spearphishing		Retool hack	Initial Access (TA0001)		Stub
Spring Boot Actuator abuse	App Misconfig.		Initial Access (TA0001)	Spring Boot	Stub
SQL commands	App Misconfig.	SQL Server to cloud lateral movement	Execution (TA0002)	MySQL Microsoft SQL Server	Stub
SQL injection	App Misconfig.	GambleForce SQL injection campaign SQL Server to cloud lateral movement	Initial Access (TA0001)	MySQL Microsoft SQL Server	Stub
SSH propagation		Dreambus campaign (2021) S3 data exfiltration SSH-Snake Confluence targeting campaign	Lateral Movement (TA0008)		Stub
SSM orchestration abuse		From PHP exploitation to AWS lateral movement			Stub
SSRF		Misconfigured firewall to cryptojacking botnet Capital One incident (March 2019) UNC2903 campaigns US DoD NIPRNet access via Atlassian SSRF	Initial Access (TA0001)		Stub
Steal EC2 Instance Credentials	Cloud	SilentBob cryptomining campaign	Credential Access (TA0006)		Stub
Storage Denial of Wallet amplification attack	CloudNetwork		Impact (TA0040)	S3 Bucket	Stub
Thread impersonation to escape to host	Linux	Siloscape campaign	Privilege Escalation (TA0004)		Stub
Timestomping		CoinStomp campaign From WSO2 RCE to SSH lateral movement	Defense Evasion (TA0005)		Stub
Token forgery		Microsoft signing key compromise	Initial Access (TA0001)Credential Access (TA0006)		Stub
TOR anonymization		Peach Sandstorm Azure targeting Microsoft signing key compromise Cyber Toufan Linux destruction Siloscape campaign	Command and Control (TA0011)Defense Evasion (TA0005)		Stub
Traffic routing through residential proxy network	Network	Microsoft email exfiltration by Nobelium	Defense Evasion (TA0005)		Stub
Use DNS for exfiltration	Cloud	SQL Server to cloud lateral movement	Exfiltration (TA0010)		Stub
Valid creds abuse		Rollbar hack	Initial Access (TA0001)Credential Access (TA0006)		Stub
VM extension abuse		SIM swapping to serial port abuse	Privilege Escalation (TA0004)		Stub
VPN anonymization		New Relic incident (November 2023)			Stub
Vulnerability exploitation	Network	Apache server Cryptojacking with Cobalt Strike Prophet Spider campaign Andariel exploiting Apache ActiveMQ GoTitan ActiveMQ campaign LAPSUS$ campaigns P2PInfect campaign 8820 Gang targeting WebLogic Trigona targeting MSSQL servers RE#TURGENCE MSSQL Server RansomOp Mimic used by Trigona operators Lucifer Botnet targeting Hadoop C3Pool mining via Confluence vulnerability z0Miner targeting WebLogic servers Meson Network cryptojacking campaign ShadowSyndicate aiohttp exploitation UNC5174 ScreenConnect and F5 BIG-IP exploitation RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto Kubernetes Clusters Targeted in OpenMetadata Exploits Kinsing campaign (2020) Redigo campaign TargetCompany Abusing MSSQL Servers for Ransomware	Initial Access (TA0001)Privilege Escalation (TA0004)		Stub
Webshell deployment		MITRE breach via Ivanti Connect Secure			Not started