Techniques

Techniques utilized by threat actors and tools, as observed in various incidents

Name	Tags	Incidents	ATT&CK Tactic	Tech	Status
Abuse access to existing KMS key	Cloud		Credential Access (TA0006)		Stub
Abuse naming patterns to guess resource IDs or fingerprint resources	Cloud		Discovery (TA0007)		Stub
Abuse of cross-job access in CI/CD system	CI/CD				Stub
Abuse trust and privileges across accounts	Cloud	LAPSUS$ campaigns	Lateral Movement (TA0008)		Stub
Abusing exposed Docker socket	K8s	Kiss-A-Dog campaign OracleIV campaign	Initial Access (TA0001)	Docker	Stub
Add attacker-controlled IdP via ADFS access	AAD	APT29 targeting Microsoft 365	Lateral Movement (TA0008)		Stub
Appstream abuse	Cloud		Initial Access (TA0001)	AWS Appstream	Stub
Attach administrative role to account		DangerDev SES abuse incident From refresh token theft to global admin			Stub
Auth token signing via ADFS access	AAD	APT29 targeting Microsoft 365	Lateral Movement (TA0008)		Stub
Auth token signing via Golden SAML	AAD	APT29 targeting Microsoft 365 Solarigate: Solarwinds supply chain attack Peach Sandstorm targeting Azure	Lateral Movement (TA0008)Credential Access (TA0006)		Finalized
Azure AD abuse		Stealing the LIGHTSHOW			Stub
Azure Arc abuse	Cloud	Peach Sandstorm targeting Azure	Persistence (TA0003)Execution (TA0002)	Azure Arc	Stub
Azure Batch abuse	Cloud	Cryptojacking via Azure Batch		Azure Batch	Stub
Azure cross-tenant synchronization backdoor	CloudAAD		Persistence (TA0003)		Stub
Azure lateral movement via cross-tenant synchronization	CloudAAD		Lateral Movement (TA0008)		Stub
Azure Run Commands abuse		Scattered Spider Azure Run abuse	Execution (TA0002)		Stub
Backdoor AMI	Cloud		Initial Access (TA0001)		Stub
Backdoor Docker image	K8s	AmberSquid campaign	Initial Access (TA0001)	Docker	Stub
Backdoor IaC (StackSet, Terraform, etc.)	Cloud		Initial Access (TA0001)		Stub
Backdoor Lambda Layer	Cloud		Initial Access (TA0001)	AWS Lambda	Stub
Bootkit	LinuxWindows		Persistence (TA0003)		Stub
Bring Your Own Vulnerable Driver	Windows	Agenda Ransomware Targets ESXi and vCenter Servers	Execution (TA0002)Privilege Escalation (TA0004)		Stub
Bucket / storage ransomware	CloudRansomware	BlackCat Azure Storage Account RansomOp	Impact (TA0040)		Stub
Bucket name squatting attack	Cloud		Initial Access (TA0001)		Stub
cAdvisor abuse	App Misconfig.		Reconnaissance (TA0043)Credential Access (TA0006)	cAdvisor	Stub
CI/CD system enumeration	CI/CD		Discovery (TA0007)		Stub
Cloud account password reset		Phishing campaign leading to Azure account takeover			Not started
Cloud API enumeration	Cloud	Leaked long-lived AWS creds LAPSUS$ campaigns DangerDev SES abuse incident Muddled Libra campaigns (2024)LLMjacking via Laravel exploitation S3 RansomOp following long-term key exposure Scylla LLMJacking campaign Scattered Spider targeting Azure environment	Reconnaissance (TA0043)		Stub
Cloud compute cryptojacking	CloudK8s	Kiss-A-Dog campaign ScarletEel campaign (Feb ‘23)RBAC Buster Misconfigured firewall to cryptojacking botnet ScarletEel campaign (July ‘23)EleKtra-Leak Labrat GitLab campaign AmberSquid campaign DangerDev SES abuse incident ECS Fargate cryptojacking Dero cryptojacking targeting K8s DERO cryptojacking campaign (2024)SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining Confluence exploited for cryptojacking REF6138 campaign Ultralytics compromise Kong image compromise	Impact (TA0040)		Featured
Cloud key compromise		Apple cloud key exposure BMW exposed cloud storage Zenlayer exposed database From social engineering to cryptocurrency theft Football Australia exposed cloud key Abusing management tooling for cloud access Personal local drive to AWS ransomware Third party to cloud compromise Scylla LLMJacking campaign Attack abusing Amazon SES			Stub
Cloud storage cryptojacking	Cloud		Impact (TA0040)		Finalized
Cloud to on-prem lateral movement		Third party to cloud compromise Smishing into Entra onto VMWare ransomware Storm-0501 attacking hybrid environments with ransomware			Not started
Cloud-init persistence	Cloud		Persistence (TA0003)		Stub
Cluster anonymous access	K8s	RBAC Buster	Initial Access (TA0001)		Stub
Container enumeration	K8s	Commando Cat campaign	Discovery (TA0007)		Stub
Create an IAM Roles Anywhere trust anchor	Cloud		Initial Access (TA0001)		Stub
Create new application user		Cloudflare incident following Okta breach			Stub
Create new cloud user	Cloud	RBAC Buster SIM-Swap to Data Leak on Dark Web DangerDev SES abuse incident S3 data exfiltration Leaked long-lived AWS creds ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)S3 RansomOp following long-term key exposure Scattered Spider SaaS targeting (2023)Phishing campaign leading to Azure account takeover	Persistence (TA0003)		Stub
Create new local user	LinuxWindows	Commando Cat campaign	Persistence (TA0003)		Stub
Create or modify cloud key		From refresh token theft to global admin	Persistence (TA0003)Credential Access (TA0006)		Stub
Create or modify firewall or security group rules		Cosmic Wolf cloud activity DangerDev SES abuse incident From password reset to data exfiltration Scattered Spider targeting GCP environment EC2 Grouper Campaign	Defense Evasion (TA0005)		Stub
Create SSH backdoor		SilentBob cryptomining campaign Qubitstrike Crypto Mining and Rootkit Campaign Commando Cat campaign CRYSTALRAY: threat actors exploiting OSS tools Scattered Spider targeting GCP environment Operation Windigo Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood	Persistence (TA0003)		Stub
Credential harvesting from code repository	CI/CD	SIM-Swap to Data Leak on Dark Web EleKtra-Leak Sisense breach Rabbit AI exposed keys in code Mercedes-Benz source code exposure ShinyHunters Ransomware Targeting Cloud Environments	Credential Access (TA0006)		Stub
Credential stuffing	CloudLinux	Fast Company incident New Relic incident (November 2023)	Initial Access (TA0001)		Stub
Credential theft		SilentBob cryptomining campaign Qubitstrike Crypto Mining and Rootkit Campaign LAPSUS$ campaigns FBot toolkit targets cloud environments Commando Cat campaign From S3 bucket to Jenkins credential dump Affirmed Networks breach LLMjacking via Laravel exploitation Atlas Lion phishing campaign Smishing into Entra onto VMWare ransomware Scattered Spider SaaS targeting (2024)CRYSTALRAY: threat actors exploiting OSS tools Ransomware operators exploit ESXi vulnerability Scattered Spider Abuses Cloud Management Agent ShinyHunters Ransomware Targeting Cloud Environments Extortion Campaign Exploiting Exposed Environment Variable APT29 Targeting Zimbra and TeamCity Servers Earth Simnavaz (APT34) Targeting UAE and Gulf Regions UNC5820 exploiting FortiManager flaw BrowserStack Data Breach Dropbox Github breach Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments SharePoint Vulnerability Exploited in-the-Wild Earth Kasha’s Campaign Exploiting Fortinet Vulnerability Volkswagen data leak through Spring Boot Actuator misconfiguration Phishing campaign leading to Azure account takeover Storm-0501 attacking hybrid environments with ransomware	Credential Access (TA0006)		Stub
Cron persistence		From PHP exploitation to AWS lateral movement CoinStomp campaign From PHP vuln to Sliver execution via cron Diicot Campaign Targeting Exposed SSH Mexals cryptojacking campaign	Persistence (TA0003)		Stub
Dangling DNS takeover	Network	fsevents supply chain attack	Resource Development (TA0042)		Stub
Data exfiltration from cloud storage		S3 data exfiltration S3 ransomware scam			Stub
Database ransomware	Ransomware	DarkRadiation campaign	Impact (TA0040)		Stub
DCSync attack		Horde Panda targeting South Asian telecommunications provider			Not started
DDoS attack		REF6138 campaign			Not started
Delete compute snapshot		Scattered Spider targeting GCP environment			Not started
Disable logging	Cloud	Ubiquiti incident ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)Cloud lateral movement via Citrix cookie APT29 targeting Microsoft 365	Defense Evasion (TA0005)		Stub
Discover origin IP of fronted domain	Network	Fast Company incident	Discovery (TA0007)		Stub
Disk Wipe		DarkRadiation campaign	Impact (TA0040)		Stub
DLL search order hijacking			Execution (TA0002)		Stub
DLL Side-Loading		Earth Kasha’s Campaign Exploiting Fortinet Vulnerability			Not started
DNS tunneling		Msupedge Backdoor Targeting Taiwanese University			Not started
DNS-over-HTTPS (DoH)		Denonia campaign	Command and Control (TA0011)		Stub
Domain registration abuse		DangerDev SES abuse incident			Stub
EDR whitelisting		Smishing into Entra onto VMWare ransomware			Not started
Email C2		New Relic incident (November 2023)			Stub
Email server hijacking	Supply Chain	Cyber Toufan Linux destruction	Impact (TA0040)	Microsoft Exchange	Stub
Erase logs	Cloud	Cloud lateral movement via Citrix cookie	Defense Evasion (TA0005)		Stub
Escape to host via cgroups release_agent	Linux	Gin Docker cryptojacking campaign	Privilege Escalation (TA0004)		Stub
Evasive username patterns		DangerDev SES abuse incident			Stub
Execute Command on VM using Custom Script Extension			Execution (TA0002)		Stub
Exfiltration via AWS DataSync	Cloud	Muddled Libra campaigns (2024)	Exfiltration (TA0010)		Stub
Exfiltration via AWS Transfer	Cloud	Muddled Libra campaigns (2024)	Exfiltration (TA0010)		Stub
Exploiting BPF load to escape to host	K8s		Privilege Escalation (TA0004)		Stub
Exploiting host mount to escape to host	K8s	Kiss-A-Dog campaign Doki cryptojacking campaign	Privilege Escalation (TA0004)		Stub
Export disk via SAS URL	Cloud		Exfiltration (TA0010)		Stub
Exposed environment config abuse		DepositFiles exposed config file AndroxGh0st usage (2024)	Initial Access (TA0001)		Stub
Exposed git config files abuse		EMERALDWHALE Attacks Targeting Exposed Git Config Files			Not started
Extract credentials from resource tags	Cloud		Credential Access (TA0006)Lateral Movement (TA0008)		Stub
FTP access		Meow database server campaign	Initial Access (TA0001)		Stub
Gift card fraud		Atlas Lion phishing campaign			Not started
Global socket communication	Network	Commando Cat campaign	Command and Control (TA0011)		Stub
IAM privilege escalation	CloudAuthentication		Privilege Escalation (TA0004)		Stub
Image dependency confusion	Supply ChainK8s		Initial Access (TA0001)		Stub
IMDS abuse	Cloud	ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)SilentBob cryptomining campaign From PHP exploitation to AWS lateral movement Misconfigured firewall to cryptojacking botnet Capital One incident (March 2019)UNC2903 campaigns SQL Server to cloud lateral movement From PHP vuln to Sliver execution via cron From web app exploitation to Chisel tunneling Commando Cat campaign Hugging Face cross-tenant access US DoD NIPRNet access via Atlassian SSRF	Credential Access (TA0006)		Featured
Impersonate GCP Service Accounts			Privilege Escalation (TA0004)		Stub
Intune abuse		Stealing the LIGHTSHOW	Execution (TA0002)Persistence (TA0003)		Stub
Jira ScriptRunner abuse		Cloudflare incident following Okta breach			Stub
Jupyter Notebook misconfig abuse	App Misconfig.	Jupyter Notebook cred harvesting campaign Meow Jupyter Notebook campaign Panamorfi campaign Sports Piracy Exploiting Misconfigured Jupyter Servers	Initial Access (TA0001)Privilege Escalation (TA0004)	Jupyter Notebook	Stub
Jupyter Notebook ransomware	Ransomware		Impact (TA0040)	Jupyter Notebook	Stub
K8s anonymous auth abuse	K8sAuthentication	Dero cryptojacking targeting K8s DERO cryptojacking campaign (2024)	Initial Access (TA0001)	Kubernetes	Stub
Lambda persistence	Cloud		Persistence (TA0003)	AWS Lambda	Stub
Launch new cloud resources		DangerDev SES abuse incident Smishing into Entra onto VMWare ransomware From password reset to data exfiltration Scattered Spider targeting GCP environment			Stub
Linux fileless malware	Linux	PHP Targeted with Glutton backdoor	Persistence (TA0003)		Stub
LLM Prompt Injection	AI/ML		Initial Access (TA0001)		Stub
LLMjacking		LLMjacking via Laravel exploitation Scylla LLMJacking campaign LLM Hijacking Targeting AWS			Stub
Local privilege escalation via vulnerability exploitation		BORN Group supply chain attack			Not started
LOLBin abuse	Windows	Peach Sandstorm targeting Azure Widespread TeamCity exploitation (March ‘24)	Defense Evasion (TA0005)		Stub
LSASS dumping	Windows	Storm-0558 phishing campaigns	Credential Access (TA0006)Privilege Escalation (TA0004)		Stub
Malicious AI model	AI/ML	Hugging Face cross-tenant access	ML Attack Staging (AML.TA0001)		Stub
Malicious Terraform provider or module	Supply ChainCloud		Initial Access (TA0001)		Stub
Malvertising					Not started
MFA bypass		CircleCI incident Twilio incident	Initial Access (TA0001)		Stub
MFA enrollment	Authentication	APT29 targeting Microsoft 365 Atlas Lion phishing campaign Smishing into Entra onto VMWare ransomware Scattered Spider SaaS targeting (2023)Scattered Spider targeting Azure environment Phishing campaign leading to Azure account takeover	Persistence (TA0003)		Stub
MFA prompt spam	AuthenticationSocial Eng.		Initial Access (TA0001)		Stub
Misconfigured Apache Hadoop abuse	App Misconfig.	Lucifer Botnet targeting Hadoop Redis, Hadoop, and Docker exploitation Dreambus campaign (2021)		Apache Hadoop	Stub
Misconfigured Argo abuse	App Misconfig.		Initial Access (TA0001)	Argo CD	Stub
Misconfigured Consul abuse	App Misconfig.	Qubitstrike Crypto Mining and Rootkit Campaign Dreambus campaign (2021)	Initial Access (TA0001)	Hashicorp Consul	Stub
Misconfigured DB abuse	App Misconfig.	Meow database server campaign	Initial Access (TA0001)	PostgreSQL	Stub
Misconfigured Docker abuse	App Misconfig.	Redis, Hadoop, and Docker exploitation Kinsing campaigns (2020)TeamTNT’s Docker Gatling Gun Campaign Gafgyt Malware Targeting Misconfigured Docker Servers Docker Swarm and K8s cryptojacking campaign	Initial Access (TA0001)	Docker	Stub
Misconfigured GitHub Runner abuse		Backdoored self-hosted GitHub Runner			Not started
Misconfigured KubeFlow abuse	App Misconfig.K8s		Initial Access (TA0001)	KubeFlow	Stub
Misconfigured OIDC service account abuse	CloudCI/CD		Initial Access (TA0001)Credential Access (TA0006)		Featured
Misconfigured PostgreSQL abuse		Kinsing campaigns (2023-2024)Dreambus campaign (2021)PG_MEM Malware Exploiting Misconfigured PostreSQL Instances			Not started
Misconfigured Power Pages abuse	Cloud		Exfiltration (TA0010)	Microsoft Power Pages	Stub
Misconfigured Redis abuse	App Misconfig.	P2PInfect campaign SkidMap targeting Redis Migo cryptominer targeting Redis Redis, Hadoop, and Docker exploitation HeadCrab campaign Dreambus campaign (2021)	Initial Access (TA0001)	Redis	Stub
Misconfigured Selenium Grid abuse	App Misconfig.	SeleniumGreed: Threat actors exploit exposed Selenium Grid services for Cryptomining Campaign targeting Selenium Grid for cryptomining	Initial Access (TA0001)	Selenium Grid	Stub
Misconfigured SSH abuse	LinuxOS Misconfig.NetworkAuthentication	ChinaZ campaigns Diicot Campaign Targeting Linux Environments	Initial Access (TA0001)Lateral Movement (TA0008)		Featured
Misconfigured WebLogic abuse		Hadooken Malware Targeting Weblogic Servers			Not started
Misconfigured Wordpress abuse	App Misconfig.	Meson Network cryptojacking campaign	Initial Access (TA0001)	WordPress	Stub
Modify compute startup script		Scattered Spider targeting GCP environment			Not started
Modify existing IAM user or role	Cloud	DangerDev SES abuse incident	Persistence (TA0003)		Stub
Modify VPC / subnet / security group configuration	Cloud		Persistence (TA0003)		Stub
Network lateral movement		CRYSTALRAY: threat actors exploiting OSS tools Ransomware operators exploit ESXi vulnerability APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment BORN Group supply chain attack Horde Panda targeting South Asian telecommunications provider SharePoint Vulnerability Exploited in-the-Wild Docker Swarm and K8s cryptojacking campaign			Not started
OAuth app creation		OAuth applications to deploy VMs for cryptomining Microsoft email exfiltration by Nobelium	Persistence (TA0003)		Stub
OAuth app hijack		OAuth applications to deploy VMs for cryptomining Microsoft email exfiltration by Nobelium	Persistence (TA0003)		Stub
OS password reset		Scattered Spider targeting GCP environment			Not started
OverPass-The-Hash		Cleo Vulnerabilities Targeted by Cl0p Ransomware			Not started
Package dependency confusion	Supply ChainCI/CD	Ivanti supply chain attack via compromised library Multiple organizations vulnerable to dependency confusion	Initial Access (TA0001)	npm	Stub
Package hijacking		Package hijacking redteam op	Initial Access (TA0001)		Stub
Package Starjacking		Cloud tools imitation campaign	Initial Access (TA0001)		Stub
Package typosquatting		Cloud tools imitation campaign	Initial Access (TA0001)		Stub
Password bruteforcing		Trigona targeting MSSQL servers GoBruteforcer campaign FBot toolkit targets cloud environments RE#TURGENCE MSSQL Server RansomOp Mimic used by Trigona operators RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto TargetCompany Abusing MSSQL Servers for Ransomware Gafgyt Malware Targeting Cloud Environments PG_MEM Malware Exploiting Misconfigured PostreSQL Instances Prometei campaign	Initial Access (TA0001)		Stub
Password spraying	CredentialsAuthentication	Peach Sandstorm targeting Azure Microsoft email exfiltration by Nobelium Smishing into Entra onto VMWare ransomware APT29 Targeting Zimbra and TeamCity Servers	Credential Access (TA0006)Initial Access (TA0001)		Stub
Persistence via AI service backend	CloudAI/ML		Persistence (TA0003)		Stub
Persistence via udev					Not started
Persistence via VM user data	Cloud		Persistence (TA0003)		Stub
Phishing		Storm-0558 phishing campaigns RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto GitHub certificate theft incident Atlas Lion phishing campaign Personal local drive to AWS ransomware Scattered Spider SaaS targeting (2023)RomCom exploiting Word vulnerability in campaign targeting government entities Microsoft Smartscreen Vulnerability Exploited by Water Hydra Windows SmartScreen vulnerability exploited by Mispadu trojan Scattered Spider Abuses Cloud Management Agent Triad Nexus: Funnull malicious campaign Dropbox Github breach Earth Kasha’s Campaign Exploiting Fortinet Vulnerability	Initial Access (TA0001)		Stub
Poison AI training data	AI/ML		Resource Development (TA0042)Persistence (TA0003)		Stub
Policy simulation		DangerDev SES abuse incident			Stub
Propagation via Kubelet	K8s		Lateral Movement (TA0008)	Kubernetes	Stub
Proxyjacking		Labrat GitLab campaign 9hits Docker campaign Campaign targeting Selenium Grid for cryptomining	Impact (TA0040)		Stub
Public exposure abuse	Cloud	Reuters leaky ElasticSearch DB ScarletEel campaign (Feb ‘23)ScarletEel campaign (July ‘23)K8s targeted via OpenMetadata exploitation Exploitation in the Wild of Aviatrix Controller RCE	Initial Access (TA0001)		Stub
Public malicious container image		ECS Fargate cryptojacking TeamTNT’s Docker Gatling Gun Campaign			Stub
pwn request	CI/CD		Initial Access (TA0001)	GitHub	Stub
Redis-as-a-backdoor	LinuxCloud	Kiss-A-Dog campaign	Persistence (TA0003)	Redis	Stub
Refresh token compromise	Authentication	From refresh token theft to global admin	Credential Access (TA0006)		Stub
Register self-hosted runner	CI/CD		Privilege Escalation (TA0004)	GitHub	Stub
Registry secret scanning	Credentials	Python infrastructure leaked access token	Reconnaissance (TA0043)Credential Access (TA0006)		Stub
Remotely execute commands or scripts on a VM		DarkRadiation campaign	Execution (TA0002)		Stub
Repo encryption for extortion		Gitloker campaign			Stub
Repojacking	Supply Chain		Initial Access (TA0001)		Stub
Repository webhook abuse	CI/CDApp Misconfig.Network		Initial Access (TA0001)	GitHub TeamCity Jenkins	Stub
Resource injection in CloudFormation template	Cloud		Execution (TA0002)	AWS CloudFormation	Stub
Retrieve EC2 Password Data	Cloud		Credential Access (TA0006)		Stub
Reverse shell		CoinStomp campaign Cloud lateral movement via Citrix cookie From code commit to production takeover Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data Diicot Campaign Targeting Linux Environments	Execution (TA0002)		Stub
Rootkit - LD_PRELOAD		DarkRadiation campaign	Persistence (TA0003)Execution (TA0002)Privilege Escalation (TA0004)Defense Evasion (TA0005)		Stub
Script injection into CICD workflow	Supply ChainCI/CD	Ultralytics compromise Kong image compromise	Initial Access (TA0001)	GitHub GitLab	Not started
Serial port abuse		SIM swapping to serial port abuse Scattered Spider SaaS targeting (2023)			Stub
Serverless execution	Cloud	Denonia campaign	Execution (TA0002)	AWS Lambda	Stub
SES abuse for spam or phishing		DangerDev SES abuse incident			Stub
Session hijacking		MITRE breach via Ivanti Connect Secure			Stub
Share compromised resources to an external account	Cloud	DangerDev SES abuse incident	Exfiltration (TA0010)Persistence (TA0003)		Stub
SIM swap scam		SIM-Swap to Data Leak on Dark Web Scattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)	Initial Access (TA0001)		Stub
Smishing (SMS phishing)		Atlas Lion phishing campaign Smishing into Entra onto VMWare ransomware Scattered Spider SaaS targeting (2023)Scattered Spider SaaS targeting (2024)			Stub
SNS abuse for spam or phishing	Cloud			Amazon SNS	Stub
Sockpuppet infiltration	Social Eng.	XZ Utils backdoor incident	Initial Access (TA0001)		Stub
Spearphishing		Retool hack	Initial Access (TA0001)		Stub
Spring Boot Actuator abuse	App Misconfig.		Initial Access (TA0001)	Spring Boot	Stub
SQL commands	App Misconfig.	SQL Server to cloud lateral movement	Execution (TA0002)	MySQL Microsoft SQL Server	Stub
SQL injection	App Misconfig.	GambleForce SQL injection campaign SQL Server to cloud lateral movement RedJuliett Exploiting VPN and Firewall Vulnerabilities Boolka campaign	Initial Access (TA0001)	MySQL Microsoft SQL Server	Stub
SSH bruteforcing		Gafgyt Malware Targeting Cloud Environments Operation Veles Diicot Campaign Targeting Exposed SSH Mexals cryptojacking campaign Diicot Campaign Targeting Linux Environments			Not started
SSH key compromise		BORN Group supply chain attack			Not started
SSH propagation		Dreambus campaign (2021)S3 data exfiltration SSH-Snake Confluence targeting campaign	Lateral Movement (TA0008)		Stub
SSM document phishing	Social Eng.		Initial Access (TA0001)		Stub
SSM misconfiguration abuse		Cyberoam breach (2018)			Not started
SSM orchestration abuse		From PHP exploitation to AWS lateral movement			Stub
SSM-facilitated remote desktop connection	Cloud		Lateral Movement (TA0008)		Stub
SSRF		Misconfigured firewall to cryptojacking botnet Capital One incident (March 2019)UNC2903 campaigns US DoD NIPRNet access via Atlassian SSRF	Initial Access (TA0001)		Stub
Steal EC2 Instance Credentials	Cloud	SilentBob cryptomining campaign	Credential Access (TA0006)		Stub
Storage Denial of Wallet amplification attack	CloudNetwork		Impact (TA0040)	S3 Bucket	Stub
Supply Chain Compromise	Supply Chain	Triad Nexus: Funnull malicious campaign Supply Chain Attack on lottie-player Ultralytics compromise Kong image compromise	Initial Access (TA0001)		Not started
Thread impersonation to escape to host	Linux	Siloscape campaign	Privilege Escalation (TA0004)		Stub
Timestomping		CoinStomp campaign From WSO2 RCE to SSH lateral movement	Defense Evasion (TA0005)		Stub
Token forgery		Microsoft signing key compromise	Initial Access (TA0001)Credential Access (TA0006)		Stub
TOR anonymization		Peach Sandstorm targeting Azure Microsoft signing key compromise Cyber Toufan Linux destruction Siloscape campaign	Command and Control (TA0011)Defense Evasion (TA0005)		Stub
Traffic routing through residential proxy network	Network	Microsoft email exfiltration by Nobelium	Defense Evasion (TA0005)		Stub
Trusted technologies abuse		State-Sponsored APT Abuse Visual Studio Code in Attacks			Not started
UPX packing		Campaign targeting Selenium Grid for cryptomining Diicot Campaign Targeting Exposed SSH Mexals cryptojacking campaign			Not started
Use DNS for exfiltration	Cloud	SQL Server to cloud lateral movement	Exfiltration (TA0010)		Stub
Valid creds abuse		Rollbar hack Snowflake compromised creds abuse campaign Ransomware operators exploit ESXi vulnerability Scattered Spider Abuses Cloud Management Agent ShinyHunters Ransomware Targeting Cloud Environments Extortion Campaign Exploiting Exposed Environment Variable Storm-0501 Targeting Hybrid Environments with Ransomware Veeam Vulnerability Exploited by Akira and Fog Ransomware Dropbox Github breach Cleo Vulnerabilities Targeted by Cl0p Ransomware Volkswagen data leak through Spring Boot Actuator misconfiguration Phishing campaign leading to Azure account takeover	Initial Access (TA0001)Credential Access (TA0006)		Stub
Vishing		Scattered Spider targeting Azure environment			Not started
VM extension abuse		SIM swapping to serial port abuse	Privilege Escalation (TA0004)		Stub
VPN anonymization		New Relic incident (November 2023)			Stub
Vulnerability exploitation	Network	Apache server Cryptojacking with Cobalt Strike Prophet Spider campaign Andariel exploiting Apache ActiveMQ GoTitan ActiveMQ campaign LAPSUS$ campaigns P2PInfect campaign 8820 Gang targeting WebLogic Trigona targeting MSSQL servers RE#TURGENCE MSSQL Server RansomOp Mimic used by Trigona operators Lucifer Botnet targeting Hadoop C3Pool mining via Confluence vulnerability z0Miner targeting WebLogic servers Meson Network cryptojacking campaign ShadowSyndicate aiohttp exploitation UNC5174 ScreenConnect and F5 BIG-IP exploitation RUBYCARP: Botnet Exploiting Vulnerabilities for Crypto K8s targeted via OpenMetadata exploitation Kinsing campaigns (2020)Redigo campaign TargetCompany Abusing MSSQL Servers for Ransomware Kinsing targeting cloud servers RedTail Cryptomining campaign Muhstik campaign RedJuliett Exploiting VPN and Firewall Vulnerabilities 8220 Gang Exploiting WebLogic Vulnerabilities for Cryptojacking CRYSTALRAY: threat actors exploiting OSS tools Ransomware operators exploit ESXi vulnerability Dama webshell deployment via ThinkPHP exploitation RomCom exploiting Word vulnerability in campaign targeting government entities Microsoft Smartscreen Vulnerability Exploited by Water Hydra Windows SmartScreen vulnerability exploited by Mispadu trojan ArcaneDoor Campaign Targeting Cisco Adaptive Security Appliance 0day APT28 Targeting Print Spooler Vulnerability for GooseEgg Deployment RCE Vulnerability in PHP CGI Exploited by TellYouThePass Mirai Botnet Exploiting Apache OFBiz Vulnerability Godzilla Backdoor Exploiting Confluence Vulnerability DragonRank Targeting IIS Web Servers UNC1860 Attacks Targeting the Middle East Storm-0501 Targeting Hybrid Environments with Ransomware perfctl Malware Targeting Linux Veeam Vulnerability Exploited by Akira and Fog Ransomware APT29 Targeting Zimbra and TeamCity Servers Earth Simnavaz (APT34) Targeting UAE and Gulf Regions UNC5820 exploiting FortiManager flaw BrowserStack Data Breach Mozi Botnet Using AndroxGh0st Toolkit to Target Cloud Environments Prometei campaign RCE Vulnerability in PAN-OS Exploited in-the-Wild BrazenBamboo Weaponizes FortiClient Vulnerability to Steal Credentials Earth Kasha’s Campaign Exploiting Fortinet Vulnerability State-Sponsored APT Abuse Visual Studio Code in Attacks Mauri Ransomware Exploiting Apache ActiveMQ Cleo Vulnerabilities Targeted by Cl0p Ransomware Byte Federal Data Breach via Gitlab Vulnerability RCE Vulnerability in Apache Struts Targeted by Attackers US Treasury Breach Exploitation in the Wild of Aviatrix Controller RCE	Initial Access (TA0001)Privilege Escalation (TA0004)		Stub
Webshell deployment		MITRE breach via Ivanti Connect Secure Earth Baku campaign UNC1860 Attacks Targeting the Middle East Silent Skimmer Attacks Exploiting Telerik UI to Steal Payment Data SharePoint Vulnerability Exploited in-the-Wild Gelsemium’s Shift to Linux Malware with WolfsBane and FireWood State-Sponsored APT Abuse Visual Studio Code in Attacks			Stub