Attack path: CVE-2026-53647
Where this CVE sits in the complete attacker lifecycle.
0 techniques directly attributed and 13 inferred, across 3 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2026-53647 · primary technique T1007
Reconnaissance
Resource Dev
Initial Access
Execution
Persistence
T1098.005
11.3x
Device Registration
✓ detection content available
T1098.001
10.2x
Additional Cloud Credentials
✓ detection content available
T1137.006
4.7x
Add-ins
✓ detection content available
T1505
3.1x
Server Software Component
✓ detection content available
T1543.002
3.0x
Systemd Service
✓ detection content available
T1136.002
1.7x
Domain Account
✓ detection content available
T1136.001
Local Account
✓ detection content available
Priv Escalation
T1548.002
7.9x
Bypass User Account Control
✓ detection content available
T1546
6.1x
Event Triggered Execution
✓ detection content available
T1546.015
4.2x
Component Object Model Hijacking
✓ detection content available
T1546.011
Application Shimming
✓ detection content available
T1546.001
Change Default File Association
✓ detection content available
Stealth
T1542.002
inferred
Component Firmware
T1211
inferred
Exploitation for Stealth
✓ detection content available
T1134.001
inferred
Token Impersonation/Theft
✓ detection content available
T1036.005
inferred
Match Legitimate Resource Name or Location
✓ detection content available
T1134.002
23.8x
Create Process with Token
✓ detection content available
T1070.006
6.8x
Timestomp
✓ detection content available
T1027.010
4.5x
Command Obfuscation
✓ detection content available
T1078.001
4.4x
Default Accounts
✓ detection content available
Defense Impairment
Credential Access
T1111
inferred
Multi-Factor Authentication Interception
T1187
10.2x
Forced Authentication
✓ detection content available
T1110.004
8.5x
Credential Stuffing
T1003.003
4.7x
NTDS
✓ detection content available
T1552.004
4.5x
Private Keys
✓ detection content available
T1555.004
4.1x
Windows Credential Manager
✓ detection content available
T1558
3.0x
Steal or Forge Kerberos Tickets
✓ detection content available
T1555.005
1.8x
Password Managers
✓ detection content available
Discovery
T1087
inferred
Account Discovery
✓ detection content available
T1120
inferred
Peripheral Device Discovery
✓ detection content available
T1069
inferred
Permission Groups Discovery
✓ detection content available
T1057
inferred
Process Discovery
✓ detection content available
T1049
inferred
System Network Connections Discovery
✓ detection content available
T1007
inferred
System Service Discovery
✓ detection content available
T1033
inferred
System Owner/User Discovery
✓ detection content available
T1016
inferred
System Network Configuration Discovery
✓ detection content available
Lateral Movement
T1550.001
11.9x
Application Access Token
✓ detection content available
T1091
11.3x
Replication Through Removable Media
✓ detection content available
T1550.002
4.3x
Pass the Hash
✓ detection content available
T1550.003
3.0x
Pass the Ticket
✓ detection content available
T1021.007
1.8x
Cloud Services
✓ detection content available
Collection
T1074.002
14.9x
Remote Data Staging
T1025
9.4x
Data from Removable Media
T1114.003
9.3x
Email Forwarding Rule
✓ detection content available
T1213.003
7.8x
Code Repositories
✓ detection content available
T1213.006
4.7x
Databases
T0801
4.0x
Monitor Process State
T1602
1.7x
Data from Configuration Repository
C2
T1001
11.3x
Data Obfuscation
T1071.003
6.8x
Mail Protocols
T1571
6.6x
Non-Standard Port
✓ detection content available
T1219
4.7x
Remote Access Tools
✓ detection content available
T1008
3.9x
Fallback Channels
✓ detection content available
T1105
2.9x
Ingress Tool Transfer
✓ detection content available
Exfiltration
T1030
17.0x
Data Transfer Size Limits
✓ detection content available
T1048.002
13.2x
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
T1052
10.2x
Exfiltration Over Physical Medium
T1052.001
10.2x
Exfiltration over USB
T1048.003
4.1x
Exfiltration Over Unencrypted Non-C2 Protocol
✓ detection content available
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE
Inferred - derived via CWE/CAPEC (lower confidence, may be off)
Likely follow-on (shared-actor co-occurrence)
✓We hold public detection content
Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 85 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.