Home/ CVE-2025-66389/ Attack path

Attack path: CVE-2025-66389

Where this CVE sits in the complete attacker lifecycle. 0 techniques directly attributed and 11 inferred, across 2 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2025-66389 · primary technique T1003
Reconnaissance
T1589.002 6.9x
Email Addresses
✓ detection content available
T1589 6.3x
Gather Victim Identity Information
✓ detection content available
T1592.002 2.0x
Software
T1598
Phishing for Information
T1598.003
Spearphishing Link
Resource Dev
T1586.001 1.7x
Social Media Accounts
T1584.006
Web Services
Initial Access
T1566.004 5.9x
Spearphishing Voice
T1195.002 5.7x
Compromise Software Supply Chain
✓ detection content available
T1195 3.9x
Supply Chain Compromise
✓ detection content available
T1200 2.0x
Hardware Additions
✓ detection content available
T1195.001 1.7x
Compromise Software Dependencies and Development Tools
✓ detection content available
T1659
Content Injection
Execution
T1059.008 6.6x
Network Device CLI
T1559.001 1.6x
Component Object Model
✓ detection content available
Persistence
T1543.001 1.8x
Launch Agent
✓ detection content available
T1543.004 1.7x
Launch Daemon
✓ detection content available
T1098.002 1.7x
Additional Email Delegate Permissions
Priv Escalation
T1546 4.1x
Event Triggered Execution
✓ detection content available
T1548.002 2.0x
Bypass User Account Control
✓ detection content available
T1546.011
Application Shimming
✓ detection content available
T1546.001
Change Default File Association
✓ detection content available
Stealth
T1562.008 6.8x
Disable or Modify Cloud Logs
T1078.001 6.5x
Default Accounts
✓ detection content available
T1480 5.7x
Execution Guardrails
T1027.010 5.3x
Command Obfuscation
✓ detection content available
T1134.002 4.1x
Create Process with Token
✓ detection content available
T1564.004 2.2x
NTFS File Attributes
✓ detection content available
T1562.009 2.0x
Safe Mode Boot
T1542.001 2.0x
System Firmware
✓ detection content available
Defense Impairment
T1556.006 6.6x
Multi-Factor Authentication
✓ detection content available
Credential Access
T1003 inferred
OS Credential Dumping
✓ detection content available
T1552.004 inferred
Private Keys
✓ detection content available
T1552.001 inferred
Credentials In Files
✓ detection content available
T1552.003 inferred
Shell History
✓ detection content available
T1552.006 inferred
Group Policy Preferences
✓ detection content available
T1555 inferred
Credentials from Password Stores
✓ detection content available
T1003.006 7.1x
DCSync
✓ detection content available
T1552.005 7.1x
Cloud Instance Metadata API
Discovery
T1526 8.8x
Cloud Service Discovery
✓ detection content available
T1069.001 4.3x
Local Groups
✓ detection content available
T1012 3.5x
Query Registry
✓ detection content available
T1087.004 1.7x
Cloud Account
✓ detection content available
T1069.002
Domain Groups
✓ detection content available
Lateral Movement
T1080 5.0x
Taint Shared Content
T1550.001 1.7x
Application Access Token
✓ detection content available
T1550.004 1.7x
Web Session Cookie
Collection
T1119 inferred
Automated Collection
✓ detection content available
T1039 inferred
Data from Network Shared Drive
✓ detection content available
T1213 inferred
Data from Information Repositories
✓ detection content available
T1530 inferred
Data from Cloud Storage
T1602 inferred
Data from Configuration Repository
T1213.002 1.7x
Sharepoint
T1074.002 1.7x
Remote Data Staging
T1213.003 1.7x
Code Repositories
✓ detection content available
C2
T1071.004 3.7x
DNS
✓ detection content available
T1090.003 3.4x
Multi-hop Proxy
✓ detection content available
T1132.001 1.8x
Standard Encoding
✓ detection content available
T1219
Remote Access Tools
✓ detection content available
T1071.003
Mail Protocols
Exfiltration
T1030 1.7x
Data Transfer Size Limits
✓ detection content available
T1020
Automated Exfiltration
✓ detection content available
T1029
Scheduled Transfer
T1052
Exfiltration Over Physical Medium
Impact
T1489 1.6x
Service Stop
✓ detection content available
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE Inferred - derived via CWE/CAPEC (lower confidence, may be off) Likely follow-on (shared-actor co-occurrence) We hold public detection content Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 65 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.
Sigma rules Full technique
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh