Attack path: CVE-2026-50280
Where this CVE sits in the complete attacker lifecycle.
0 techniques directly attributed and 15 inferred, across 5 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2026-50280 · primary technique T1027.009
Reconnaissance
T1595.002
17.0x
Vulnerability Scanning
✓ detection content available
T1595
17.0x
Active Scanning
✓ detection content available
T1589.002
9.5x
Email Addresses
✓ detection content available
T1591.004
9.2x
Identify Roles
✓ detection content available
T1589
8.7x
Gather Victim Identity Information
✓ detection content available
T1589.001
8.5x
Credentials
T1598
3.9x
Phishing for Information
T1598.003
3.9x
Spearphishing Link
Resource Dev
Initial Access
T0865
3.7x
Spearphishing Attachment
T1195.002
3.6x
Compromise Software Supply Chain
✓ detection content available
T0822
3.3x
External Remote Services
T1195
3.2x
Supply Chain Compromise
✓ detection content available
T1200
2.6x
Hardware Additions
✓ detection content available
T0866
Exploitation of Remote Services
Execution
Persistence
T1543.003
inferred
Windows Service
✓ detection content available
T1543
inferred
Create or Modify System Process
✓ detection content available
T1037
inferred
Boot or Logon Initialization Scripts
T1547.006
inferred
Kernel Modules and Extensions
✓ detection content available
T1505.005
inferred
Terminal Services DLL
✓ detection content available
T1136.001
9.9x
Local Account
✓ detection content available
T1137
8.5x
Office Application Startup
✓ detection content available
T1098.005
8.3x
Device Registration
✓ detection content available
Priv Escalation
T1546.001
inferred
Change Default File Association
✓ detection content available
T1546.016
inferred
Installer Packages
T1546.008
inferred
Accessibility Features
✓ detection content available
T1546.004
inferred
Unix Shell Configuration Modification
✓ detection content available
T1546.011
17.9x
Application Shimming
✓ detection content available
T1546.015
11.9x
Component Object Model Hijacking
✓ detection content available
T1546
5.1x
Event Triggered Execution
✓ detection content available
Stealth
T1027.009
inferred
Embedded Payloads
✓ detection content available
T1542.003
inferred
Bootkit
✓ detection content available
T1014
inferred
Rootkit
✓ detection content available
T1574.011
inferred
Services Registry Permissions Weakness
✓ detection content available
T1221
14.6x
Template Injection
✓ detection content available
T1218.010
9.1x
Regsvr32
✓ detection content available
T1027.003
8.5x
Steganography
✓ detection content available
T1027.010
7.9x
Command Obfuscation
✓ detection content available
Defense Impairment
Credential Access
T1555.004
9.9x
Windows Credential Manager
✓ detection content available
T1003.002
5.8x
Security Account Manager
✓ detection content available
T1110.003
5.5x
Password Spraying
T1212
5.2x
Exploitation for Credential Access
✓ detection content available
T1110.001
5.1x
Password Guessing
✓ detection content available
T1003.005
3.9x
Cached Domain Credentials
✓ detection content available
T1003.006
3.7x
DCSync
✓ detection content available
T1552.005
3.7x
Cloud Instance Metadata API
Discovery
Lateral Movement
Collection
C2
Impact
T1499.004
5.8x
Application or System Exploitation
✓ detection content available
T1529
5.0x
System Shutdown/Reboot
✓ detection content available
T1488
3.3x
Disk Content Wipe
T0813
2.7x
Denial of Control
T0879
2.7x
Damage to Property
T0826
Loss of Availability
T1496
Resource Hijacking
✓ detection content available
T1495
Firmware Corruption
✓ detection content available
Other
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE
Inferred - derived via CWE/CAPEC (lower confidence, may be off)
Likely follow-on (shared-actor co-occurrence)
✓We hold public detection content
Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 86 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.