Attack path: Rootkit
Kill-chain expansion via actor co-occurrence analysis ·
16 techniques ·
7 detectable
·
9 detection gaps
Entry point: CVE-2026-35066
T1014
Initial Access
Persistence
Stealth
T1014
Rootkit
✓ sigma
999.0x lift
T1562.006
Indicator Blocking
× no rule
3.3x lift
T1562.003
Impair Command History Logging
× no rule
3.3x lift
T1055.012
Process Hollowing
✓ sigma
3.3x lift
T1036.001
Invalid Code Signature
× no rule
3.1x lift
T1542.001
System Firmware
✓ sigma
2.8x lift
T1542.003
Bootkit
✓ sigma
2.7x lift
T1542
Pre-OS Boot
× no rule
2.6x lift
Defense Impairment
Entry point (from CVE)
Detection rule available
Detection gap - potential blind spot
Lift = how strongly this technique co-occurs with the entry point across shared threat actors (1x = expected, 5x = highly distinctive)
Hunt package
All 16 techniques in this chain - Sigma rules, Atomic tests, and detection gaps in one view.