Attack path: CVE-2026-58203
Where this CVE sits in the complete attacker lifecycle.
0 techniques directly attributed and 8 inferred, across 4 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.
Highlighted from CVE-2026-58203 · primary technique T1005
Reconnaissance
Persistence
T1547.009
inferred
Shortcut Modification
✓ detection content available
T1037.003
7.4x
Network Logon Script
T1137.006
6.1x
Add-ins
✓ detection content available
T1137.001
6.1x
Office Template Macros
T1137
5.2x
Office Application Startup
✓ detection content available
T1136.002
5.1x
Domain Account
✓ detection content available
Priv Escalation
Stealth
T1027.009
inferred
Embedded Payloads
✓ detection content available
T1564.009
inferred
Resource Forking
T1574.005
inferred
Executable Installer File Permissions Weakness
✓ detection content available
T1027.006
inferred
HTML Smuggling
T1574.010
inferred
Services File Permissions Weakness
T1221
14.6x
Template Injection
✓ detection content available
T1542.003
9.3x
Bootkit
✓ detection content available
T1218.010
9.1x
Regsvr32
✓ detection content available
Defense Impairment
·
Credential Access
Discovery
·
Lateral Movement
·
Collection
C2
·
Exfiltration
·
Impact
T1499
inferred
Endpoint Denial of Service
✓ detection content available
T1498.001
7.4x
Direct Network Flood
T1499.003
7.4x
Application Exhaustion Flood
T1499.002
7.4x
Service Exhaustion Flood
T1498.002
7.4x
Reflection Amplification
T1488
7.4x
Disk Content Wipe
T1499.004
7.4x
Application or System Exploitation
✓ detection content available
T1499.001
7.4x
OS Exhaustion Flood
✓ detection content available
Want your real detection gaps for this chain?
Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.
Direct - an ATT&CK/nuclei source names this CVE
Inferred - derived via CWE/CAPEC (lower confidence, may be off)
Likely follow-on (shared-actor co-occurrence)
✓We hold public detection content
Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).
Hunt package
All 37 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.