Attack path: CVE-2020-5231
Where this CVE sits in the complete attacker lifecycle.
2 techniques directly attributed and 2 inferred, across 3 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2020-5231 · primary technique T1078.001
Reconnaissance
Resource Dev
·
Initial Access
Execution
Persistence
T1136
direct
Create Account
✓ detection content available
T1098.001
5.2x
Additional Cloud Credentials
✓ detection content available
T1136.001
3.6x
Local Account
✓ detection content available
T1136.002
3.6x
Domain Account
✓ detection content available
T1136.003
3.6x
Cloud Account
✓ detection content available
Stealth
Defense Impairment
Credential Access
T1552.005
8.3x
Cloud Instance Metadata API
T1621
7.8x
Multi-Factor Authentication Request Generation
✓ detection content available
T1003.006
6.6x
DCSync
✓ detection content available
T1606.002
6.2x
SAML Tokens
T1606
5.2x
Forge Web Credentials
✓ detection content available
T1003.004
3.6x
LSA Secrets
✓ detection content available
T1187
3.2x
Forced Authentication
✓ detection content available
Discovery
Lateral Movement
Exfiltration
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE
Inferred - derived via CWE/CAPEC (lower confidence, may be off)
Likely follow-on (shared-actor co-occurrence)
✓We hold public detection content
Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 34 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.