Attack path from CVE-2023-33854

Home/ CVE-2023-33854/ Attack path

Attack path: CVE-2023-33854

Where this CVE sits in the complete attacker lifecycle. 0 techniques directly attributed and 12 inferred, across 5 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.

Highlighted from CVE-2023-33854 · primary technique T1021

Reconnaissance

T1595 2.0x

Active Scanning

✓ detection content available

T1595.002 2.0x

Vulnerability Scanning

✓ detection content available

T1589 1.6x

Gather Victim Identity Information

✓ detection content available

T1589.002 1.6x

Email Addresses

✓ detection content available

Resource Dev

T1586.001 4.2x

Social Media Accounts

Initial Access

Supply Chain Compromise

✓ detection content available

T1199 2.7x

Trusted Relationship

✓ detection content available

T0866

Exploitation of Remote Services

T0883

Internet Accessible Device

T0822

External Remote Services

Execution

T1559.002 5.5x

Dynamic Data Exchange

✓ detection content available

T1569.002 5.4x

Service Execution

✓ detection content available

T1047 4.2x

Windows Management Instrumentation

✓ detection content available

T1059.004

Unix Shell

✓ detection content available

T1053.003

Cron

✓ detection content available

T1569

System Services

✓ detection content available

Persistence

T1133 inferred

External Remote Services

✓ detection content available

T1136.003 7.2x

Cloud Account

✓ detection content available

T1137.006 7.2x

Add-ins

✓ detection content available

T1543.004 6.3x

Launch Daemon

✓ detection content available

T1543.001 6.2x

Launch Agent

✓ detection content available

T1098.002 5.8x

Additional Email Delegate Permissions

T1098.005 5.4x

Device Registration

✓ detection content available

T1136 3.6x

Create Account

✓ detection content available

Priv Escalation

T1548.002 7.9x

Bypass User Account Control

✓ detection content available

T1546.011 2.0x

Application Shimming

✓ detection content available

T1546.008 2.0x

Accessibility Features

✓ detection content available

Stealth

T1134.001 inferred

Token Impersonation/Theft

✓ detection content available

T1134.002 23.8x

Create Process with Token

✓ detection content available

T1562.002 19.8x

Disable Windows Event Logging

T1070.006 6.8x

Timestomp

✓ detection content available

T1134 4.4x

Access Token Manipulation

✓ detection content available

T1070.002 3.8x

Clear Linux or Mac System Logs

T1055.001 1.6x

Dynamic-link Library Injection

✓ detection content available

T1055.012

Process Hollowing

✓ detection content available

Defense Impairment

T1556.007 5.8x

Hybrid Identity

T1556.006 5.4x

Multi-Factor Authentication

✓ detection content available

Credential Access

T1558 inferred

Steal or Forge Kerberos Tickets

✓ detection content available

T1558.003 inferred

Kerberoasting

✓ detection content available

T1557 inferred

Adversary-in-the-Middle

✓ detection content available

T1040 inferred

Network Sniffing

✓ detection content available

T1606.001 20.4x

Web Cookies

T1606 17.0x

Forge Web Credentials

✓ detection content available

T1557.001 11.3x

Name Resolution Poisoning and SMB Relay

✓ detection content available

T1557.002 11.3x

ARP Cache Poisoning

Discovery

T1580 34.0x

Cloud Infrastructure Discovery

✓ detection content available

T1069.001 14.4x

Local Groups

✓ detection content available

T1069.002 7.9x

Domain Groups

✓ detection content available

T1087.003 7.2x

Email Account

T1526 7.2x

Cloud Service Discovery

✓ detection content available

T1087.004 5.8x

Cloud Account

✓ detection content available

T1049 3.5x

System Network Connections Discovery

✓ detection content available

T0846

Remote System Discovery

Lateral Movement

T1021 inferred

Remote Services

✓ detection content available

T1021.002 inferred

SMB/Windows Admin Shares

✓ detection content available

T1550.003 inferred

Pass the Ticket

✓ detection content available

T1550.002 inferred

Pass the Hash

✓ detection content available

T1550.004 inferred

Web Session Cookie

T1550.001 11.9x

Application Access Token

✓ detection content available

T1021.007 7.2x

Cloud Services

✓ detection content available

T1550 4.6x

Use Alternate Authentication Material

✓ detection content available

Collection

T1114.002 inferred

Remote Email Collection

Email Forwarding Rule

✓ detection content available

T1123 5.4x

Audio Capture

✓ detection content available

T1125 5.4x

Video Capture

✓ detection content available

T1430 4.0x

Location Tracking

T1056.004 3.8x

Credential API Hooking

T1090.003 4.0x

Multi-hop Proxy

✓ detection content available

T1008 2.0x

Fallback Channels

✓ detection content available

✓ detection content available

T1572 1.6x

Protocol Tunneling

✓ detection content available

T1571 1.6x

Non-Standard Port

✓ detection content available

Exfiltration

T1030 17.0x

Data Transfer Size Limits

✓ detection content available

T1048.003 3.5x

Exfiltration Over Unencrypted Non-C2 Protocol

✓ detection content available

T1048 2.5x

Exfiltration Over Alternative Protocol

✓ detection content available

T1048.002 2.0x

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

Impact

T1489 3.5x

Service Stop

✓ detection content available

✓ detection content available

System Shutdown/Reboot

✓ detection content available

Other

Want your real detection gaps for this chain?

Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.

Direct - an ATT&CK/nuclei source names this CVE Inferred - derived via CWE/CAPEC (lower confidence, may be off) Likely follow-on (shared-actor co-occurrence) ✓We hold public detection content Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).

Hunt package

All 90 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.

Sigma rules Full technique