Attack path: CVE-2026-52845
Where this CVE sits in the complete attacker lifecycle.
0 techniques directly attributed and 8 inferred, across 4 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2026-52845 · primary technique T1036.001
Reconnaissance
·
Initial Access
Execution
Persistence
T1136.003
34.0x
Cloud Account
✓ detection content available
T1098.001
13.6x
Additional Cloud Credentials
✓ detection content available
T1098.005
11.3x
Device Registration
✓ detection content available
T1037.003
11.3x
Network Logon Script
T1098.002
10.2x
Additional Email Delegate Permissions
T1037.001
6.8x
Logon Script (Windows)
✓ detection content available
T1543.004
6.3x
Launch Daemon
✓ detection content available
T1543.001
6.2x
Launch Agent
✓ detection content available
Priv Escalation
Stealth
T1134
inferred
Access Token Manipulation
✓ detection content available
T1134.001
inferred
Token Impersonation/Theft
✓ detection content available
T1036.001
inferred
Invalid Code Signature
T1027.007
8.5x
Dynamic API Resolution
T1070.006
6.8x
Timestomp
✓ detection content available
T1542.001
4.9x
System Firmware
✓ detection content available
T1134.002
4.4x
Create Process with Token
✓ detection content available
T1562.006
4.4x
Indicator Blocking
Defense Impairment
Credential Access
T1539
inferred
Steal Web Session Cookie
✓ detection content available
T1557
inferred
Adversary-in-the-Middle
✓ detection content available
T1528
inferred
Steal Application Access Token
✓ detection content available
T1606.001
20.4x
Web Cookies
T1606.002
20.4x
SAML Tokens
T1606
12.8x
Forge Web Credentials
✓ detection content available
T1557.001
11.3x
Name Resolution Poisoning and SMB Relay
✓ detection content available
T1557.002
11.3x
ARP Cache Poisoning
Discovery
T1526
34.0x
Cloud Service Discovery
✓ detection content available
T1087.004
20.4x
Cloud Account
✓ detection content available
T1069.001
14.4x
Local Groups
✓ detection content available
T1069.002
7.9x
Domain Groups
✓ detection content available
T0846
5.2x
Remote System Discovery
T1580
3.7x
Cloud Infrastructure Discovery
✓ detection content available
T1087.003
3.7x
Email Account
Lateral Movement
Collection
T1213.002
22.7x
Sharepoint
T1074.002
14.9x
Remote Data Staging
T1114.003
12.4x
Email Forwarding Rule
✓ detection content available
T1213.003
10.5x
Code Repositories
✓ detection content available
T0801
5.8x
Monitor Process State
T1123
5.4x
Audio Capture
✓ detection content available
T1125
5.4x
Video Capture
✓ detection content available
T1560.002
4.4x
Archive via Library
C2
Exfiltration
Impact
T1488
9.7x
Disk Content Wipe
T1496
6.6x
Resource Hijacking
✓ detection content available
T1495
6.1x
Firmware Corruption
✓ detection content available
T0813
5.8x
Denial of Control
T1499.004
5.7x
Application or System Exploitation
✓ detection content available
T1529
5.0x
System Shutdown/Reboot
✓ detection content available
T0831
4.8x
Manipulation of Control
T1499
4.6x
Endpoint Denial of Service
✓ detection content available
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE
Inferred - derived via CWE/CAPEC (lower confidence, may be off)
Likely follow-on (shared-actor co-occurrence)
✓We hold public detection content
Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 75 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.