Attack path: CVE-2026-40138
Where this CVE sits in the complete attacker lifecycle.
0 techniques directly attributed and 8 inferred, across 6 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2026-40138 · primary technique T1040
Reconnaissance
Resource Dev
Initial Access
Execution
Persistence
T1505.003
inferred
Web Shell
✓ detection content available
T1136.003
23.8x
Cloud Account
✓ detection content available
T1543.004
6.3x
Launch Daemon
✓ detection content available
T1543.001
6.2x
Launch Agent
✓ detection content available
T1137.006
4.4x
Add-ins
✓ detection content available
T1037.003
4.4x
Network Logon Script
T1098.005
3.8x
Device Registration
✓ detection content available
T1505
2.8x
Server Software Component
✓ detection content available
Priv Escalation
T1548
inferred
Abuse Elevation Control Mechanism
✓ detection content available
T1546.011
4.4x
Application Shimming
✓ detection content available
T1546.015
4.4x
Component Object Model Hijacking
✓ detection content available
T1546.001
4.4x
Change Default File Association
✓ detection content available
T1548.002
2.1x
Bypass User Account Control
✓ detection content available
Stealth
T1134
inferred
Access Token Manipulation
✓ detection content available
T1055.012
6.4x
Process Hollowing
✓ detection content available
T1218.007
6.1x
Msiexec
✓ detection content available
T1562.006
4.4x
Indicator Blocking
T1134.001
4.4x
Token Impersonation/Theft
✓ detection content available
T1134.002
4.4x
Create Process with Token
✓ detection content available
T1027.007
4.4x
Dynamic API Resolution
T1070.002
3.8x
Clear Linux or Mac System Logs
Defense Impairment
Credential Access
T1557
inferred
Adversary-in-the-Middle
✓ detection content available
T1040
inferred
Network Sniffing
✓ detection content available
T1606.002
19.0x
SAML Tokens
T1528
17.0x
Steal Application Access Token
✓ detection content available
T1606
14.9x
Forge Web Credentials
✓ detection content available
T1606.001
14.3x
Web Cookies
T1555.005
14.3x
Password Managers
✓ detection content available
T1557.002
11.3x
ARP Cache Poisoning
Discovery
T1526
23.8x
Cloud Service Discovery
✓ detection content available
T1087.004
19.0x
Cloud Account
✓ detection content available
T1614.001
6.8x
System Language Discovery
✓ detection content available
T1482
2.5x
Domain Trust Discovery
✓ detection content available
T1087.003
2.4x
Email Account
T0846
2.1x
Remote System Discovery
Lateral Movement
Collection
T1185
inferred
Browser Session Hijacking
✓ detection content available
T1074.002
20.8x
Remote Data Staging
T1213.002
15.9x
Sharepoint
T1056.002
10.6x
GUI Input Capture
✓ detection content available
T1056.004
7.6x
Credential API Hooking
T1123
5.4x
Audio Capture
✓ detection content available
T1125
5.4x
Video Capture
✓ detection content available
T1213.006
4.4x
Databases
Exfiltration
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE
Inferred - derived via CWE/CAPEC (lower confidence, may be off)
Likely follow-on (shared-actor co-occurrence)
✓We hold public detection content
Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 68 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.