Example Attacks
A comprehensive list of real-world attacks, detailing the tactics and sub-techniques employed by attackers, from reconnaissance to impact, based on the current application attack matrix.
Log4Shell
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Impact |
|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | Content Injection (Network traffic) | Remote Code Execution Exploitation | Server Software Component | Data Destruction |
| Application Dependencies Mapping | Obtain Capabilities | Supply Chain Compromise | Injection Exploitations | Scheduled Task | Data Encryption |
| Third‑Party Dependency Poisoning | Data Exfiltration |
Spring4Shell
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | Authentication Bypass | Remote Code Execution Exploitation | Exploitation for Privilege Escalation | Exploitation for Credential Access | Data Destruction |
| Application API Specification Harvesting | Valid Accounts | Injection Exploitations | Masquerading | Service Disruption | ||
| Supply Chain Compromise | Server Software Component | Business Logic Manipulation |
Colors
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Public Source Code and Artifacts Analysis | Develop Capabilities | Supply Chain Compromise | Remote Code Execution Exploitation | Server Software Component | Exploitation for Credential Access | Data Destruction |
| Third‑Party Dependency Poisoning | Injection Exploitations | Masquerading | Service Disruption | |||
| Business Logic Manipulation |
XZ-Utils
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Public Source Code and Artifacts Analysis | Develop Capabilities | Supply Chain Compromise | Remote Code Execution Exploitation | Server Software Component | Exploitation for Privilege Escalation | Data Destruction |
| Gather Application Configuration Information | Third‑Party Dependency Poisoning | Valid Accounts | Injection Exploitations | Masquerading | Service Disruption | |
| Application API Specification Harvesting | Authentication Bypass | Business Logic Manipulation |
Regresshion - OpenSSH RCE (CVE-2024-6387, CVE-2024-6409)
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | Authentication Bypass | Remote Code Execution Exploitation | Server Software Component | Exploitation for Privilege Escalation | Data Encryption |
| Application API Specification Harvesting | Valid Accounts | Injection Exploitations | Scheduled Task | Service Disruption | ||
| Masquerading |
SolarWinds Attack
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | Supply Chain Compromise | Remote Code Execution Exploitation | Server Software Component | Exploitation for Privilege Escalation | Data Exfiltration |
| Public Source Code and Artifacts Analysis | Compromised Code Signing and Build Infrastructure | Valid Accounts | Injection Exploitations | Masquerading | Business Logic Manipulation | |
| Application API Specification Harvesting | Authentication Bypass | Service Disruption |
EternalBlue & EternalRomance
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Obtain Capabilities | External Remote Services | Remote Code Execution Exploitation | Masquerading | Exploitation for Privilege Escalation | Data Encryption |
| Application API Specification Harvesting | Valid Accounts | Injection Exploitations | Server Software Component | Service Disruption | ||
| Authentication Bypass | Business Logic Manipulation |
WannaCry
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Obtain Capabilities | External Remote Services | Remote Code Execution Exploitation | Scheduled Task | Exploitation for Privilege Escalation | Data Encryption |
| Valid Accounts | Injection Exploitations | Server Software Component | Service Disruption | |||
| Authentication Bypass | Masquerading | Business Logic Manipulation |
BOLA
| Reconnaissance | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|
| Application API Specification Harvesting | Authentication Bypass | Injection Exploitations | Masquerading | Exploitation for Credential Access | Data Exfiltration |
| Service Standard API | Exploitation for Privilege Escalation |
Equifax hack
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | External Remote Services | Remote Code Execution Exploitation | Server Software Component | Exploitation for Privilege Escalation | Data Exfiltration |
| Authentication Bypass | Injection Exploitations | Masquerading | Business Logic Manipulation |
Shelltorch
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Application API Specification Harvesting | Develop Capabilities | External Remote Services | Remote Code Execution Exploitation | Server Software Component | Exploitation for Privilege Escalation | Data Exfiltration |
| Authentication Bypass | Injection Exploitations | Masquerading | Service Disruption |
ShadowRay
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | External Remote Services | Remote Code Execution Exploitation | C2 over App‑Protocols | Exploitation for Privilege Escalation | Data Exfiltration |
| Application API Specification Harvesting | Authentication Bypass | Injection Exploitations | Cloud Service Discovery | Service Disruption |
Ollama DOS
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Impact |
|---|---|---|---|---|---|
| Gather Application Configuration Information | Obtain Capabilities | Supply Chain Compromise | Remote Code Execution Exploitation | Server Software Component | Data Exfiltration |
| Application API Specification Harvesting | Develop Capabilities | Authentication Bypass | Injection Exploitations | Scheduled Task | Data Encryption |
| Third‑Party Dependency Poisoning | Defacement | ||||
| Service Disruption |
Apache Tomcat RCE (CVE-2024-56337)
| Reconnaissance | Resource Development | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|---|
| Gather Application Configuration Information | Develop Capabilities | External Remote Services | Remote Code Execution Exploitation | Masquerading | Exploitation for Privilege Escalation | Data Encryption |
| Authentication Bypass | Injection Exploitations | Server Software Component | Service Disruption |
PyLoose
| Reconnaissance | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Expanding Control | Impact |
|---|---|---|---|---|---|
| Gather Application Configuration Information | External Remote Services | Remote Code Execution Exploitation | Server Software Component | Exploitation for Privilege Escalation | Data Exfiltration |
| Public Source Code and Artifacts Analysis | Injection Exploitations | Masquerading | Cloud Service Discovery | Service Disruption | |
| Resource Hijacking |
Jackson (CVE-2017-17485)
| Reconnaissance | Payload Delivery/Gain Access | Payload Execution | Deepening Control | Impact |
|---|---|---|---|---|
| Gather Application Configuration Information | External Remote Services | Injection Exploitations | Server Software Component | Data Exfiltration |
| Remote Code Execution Exploitation | Masquerading | Service Disruption |
Threat Actors
| Attack ID | Threat Actor | Application Vulnerability Exploited | Tactics | Techniques / Subtechniques |
|---|---|---|---|---|
| LZ0001 | Lazrus | PyYAML insecure deserialization leading to remote code execution | Payload Execution | Injection Exploitations Remote Code Execution Exploitation |
| BH0001 | SafeWallet Hackers | Supply chain compromise via SafeWallet’s update mechanism affecting the Bybit platform | Payload Delivery/Gain Access | Supply Chain Compromise |
| G1030 | Agrius | FortiOS path traversal (e.g., CVE‑2018‑13379) and SQL injection | Payload Delivery/Gain Access, Payload Execution | Content Injection (Network traffic) Injection Exploitations |
| G0007 | APT28 | MS Exchange RCE vulnerabilities (e.g., CVE‑2020‑0688, CVE‑2020‑17144) | Payload Delivery/Gain Access, Payload Execution | Supply Chain Compromise Remote Code Execution Exploitation |
| G0016 | APT29 | Citrix/VPN and Exchange vulnerabilities (e.g., CVE‑2019‑19781, CVE‑2019‑11510, CVE‑2020‑0688) | Payload Delivery/Gain Access, Payload Execution | Supply Chain Compromise Remote Code Execution Exploitation |
| G0087 | APT39 | SQL injection for initial compromise | Payload Execution | Injection Exploitations |
| G0096 | APT41 | Unsafe deserialization and SQL injection | Payload Execution | Injection Exploitations |
| G1023 | APT5 | Exploitation of vulnerabilities in VPNs/ADC | Payload Execution | Remote Code Execution Exploitation |
| G0001 | Axiom | SQL injection | Payload Execution | Injection Exploitations |
| G0135 | BackdoorDiplomacy | F5 BIG‑IP RCE (e.g., CVE‑2020‑5902) | Payload Delivery/Gain Access | Content Injection (Network traffic) |
| G0098 | BlackTech | Buffer overflow in IIS 6.0 (e.g., CVE‑2017‑7269) | Payload Execution | Remote Code Execution Exploitation |
| G0108 | Blue Mockingbird | Telerik UI deserialization (e.g., CVE‑2019‑18935) | Payload Execution | Remote Code Execution Exploitation |
| C0017 | C0017 | Unsafe deserialization, SQL injection, and path traversal | Payload Execution | Injection Exploitations |
| C0018 | C0018 | VMware Horizon vulnerabilities | Payload Execution | Remote Code Execution Exploitation |
| C0027 | C0027 | Exploitation of ForgeRock OpenAM (e.g., CVE‑2021‑35464) | Payload Delivery/Gain Access | Authentication Bypass |
| G1021 | Cinnamon Tempest | Exploitation of vulnerabilities in Exchange, ManageEngine, Confluence, and Log4j | Payload Execution | Remote Code Execution Exploitation Injection Exploitations |
| S1105 | COATHANGER | Exploitation of a vulnerable FortiGate device | Payload Delivery/Gain Access | Content Injection (Network traffic) |
| C0029 | Cutting Edge | Ivanti Connect Secure VPN vulnerabilities (e.g., CVE‑2023‑46805, CVE‑2024‑21887, CVE‑2024‑21893) | Payload Delivery/Gain Access, Payload Execution | Authentication Bypass Injection Exploitations |
| G0035 | Dragonfly | SQL injection and exploitation of additional CVEs | Payload Delivery/Gain Access, Payload Execution | Injection Exploitations Supply Chain Compromise |
| G1006 | Earth Lusca | Exploitation of vulnerabilities in Exchange and Oracle GlassFish | Payload Execution | Remote Code Execution Exploitation |
| G1003 | Ember Bear | Exploitation of vulnerabilities in Exchange and related platforms | Payload Execution | Remote Code Execution Exploitation |
| G1016 | FIN13 | Exploited vulnerabilities in SAP/Java environments (e.g., CVE‑2017‑1000486) | Payload Execution | Injection Exploitations Remote Code Execution Exploitation |
| G0046 | FIN7 | Microsoft Exchange SSRF vulnerability (e.g., CVE‑2021‑31207) | Payload Execution | Remote Code Execution Exploitation |
| G0117 | Fox Kitten | Exploitation of vulnerabilities in VPN appliances | Payload Execution | Remote Code Execution Exploitation |
| G0093 | GALLIUM | Exploitation of publicly facing Wildfly/JBoss servers | Payload Execution | Remote Code Execution Exploitation |
| G0115 | GOLD SOUTHFIELD | Exploitation of Oracle WebLogic vulnerabilities | Payload Execution | Remote Code Execution Exploitation |
| G0125 | HAFNIUM | Exploitation of Log4j (e.g., CVE‑2021‑44228) and additional vulnerabilities | Payload Execution | Remote Code Execution Exploitation Injection Exploitations |
| S0224 | Havij | Automated SQL injection tool | Payload Execution | Injection Exploitations |
| C0038 | HomeLand Justice | Exploitation of CVE‑2019‑0604 in SharePoint | Payload Execution | Remote Code Execution Exploitation |
| G1032 | INC Ransom | Exploitation of Citrix NetScaler vulnerability (e.g., CVE‑2023‑3519) | Payload Execution | Remote Code Execution Exploitation |
| G0004 | Ke3chang | Exploitation of vulnerabilities in Microsoft Exchange and SharePoint | Payload Execution | Remote Code Execution Exploitation |
| G0094 | Kimsuky | Exploitation of Microsoft Exchange vulnerability (e.g., CVE‑2020‑0688) | Payload Execution | Remote Code Execution Exploitation |
| G0059 | Magic Hound | Exploitation of Log4j (e.g., CVE‑2021‑44228), ProxyShell, and FortiOS SSL VPN vulnerabilities | Payload Execution | Remote Code Execution Exploitation Injection Exploitations |
| G0045 | menuPass | Exploited vulnerabilities in Pulse Secure VPNs (session hijacking) | Payload Delivery/Gain Access | Authentication Bypass |
| G1009 | Moses Staff | Exploitation of vulnerabilities in Microsoft Exchange Servers | Payload Execution | Remote Code Execution Exploitation |
| G0069 | MuddyWater | Exploitation of Microsoft Exchange memory corruption (e.g., CVE‑2020‑0688) | Payload Execution | Remote Code Execution Exploitation |
| C0002 | Night Dragon | SQL injection exploits against extranet web servers | Payload Execution | Injection Exploitations |
| C0012 | Operation CuckooBees | Exploitation of multiple vulnerabilities in externally facing servers | Payload Execution | Remote Code Execution Exploitation |
| C0014 | Operation Wocao | Exploitation of vulnerabilities in JBoss webservers | Payload Execution | Remote Code Execution Exploitation |
| G1040 | Play | Exploitation of multiple vulnerabilities (e.g., CVE‑2018‑13379, CVE‑2020‑12812, CVE‑2022‑41082, CVE‑2022‑41040) | Payload Execution | Remote Code Execution Exploitation Injection Exploitations |
| G0106 | Rocke | Exploitation via vulnerabilities in Apache Struts, Oracle WebLogic, and Adobe ColdFusion | Payload Execution | Remote Code Execution Exploitation |
| G0034 | Sandworm Team | Exploitation of public‑facing applications (e.g., EXIM MTA vulnerability) | Payload Execution | Remote Code Execution Exploitation |
| S0623 | Siloscape | Exploitation of a vulnerability in Windows container environments | Payload Execution | Remote Code Execution Exploitation |
| C0024 | SolarWinds Compromise | Exploitation of Exchange Control Panel vulnerability (e.g., CVE‑2020‑0688) | Payload Execution | Remote Code Execution Exploitation |
| S0516 | SoreFang | Exploitation of Sangfor SSL VPN vulnerability | Payload Execution | Remote Code Execution Exploitation |
| S0225 | sqlmap | Automated SQL injection tool | Payload Execution | Injection Exploitations |
| G0027 | Threat Group‑3390 | Exploitation of vulnerabilities in Microsoft SharePoint/Exchange | Payload Execution | Remote Code Execution Exploitation |
| G1022 | ToddyCat | Exploitation of ProxyLogon vulnerability (e.g., CVE‑2021‑26855) | Payload Execution | Remote Code Execution Exploitation |
| C0039 | Versa Director Zero Day Exploitation | Exploitation of CVE‑2024‑39717 in Versa Director | Payload Execution | Remote Code Execution Exploitation |
| G0123 | Volatile Cedar | Targeting publicly‑facing web servers | Payload Execution | Remote Code Execution Exploitation |
| G1017 | Volt Typhoon | Exploitation of multiple vulnerabilities in Internet‑facing software | Payload Execution | Remote Code Execution Exploitation |
| G1035 | Winter Vivern | Exploitation of vulnerabilities in Roundcube Webmail servers and the “Follina” vulnerability | Payload Execution | Remote Code Execution Exploitation |