Attack path from CVE-2026-7165

Home/ CVE-2026-7165/ Attack path

Attack path: CVE-2026-7165

Where this CVE sits in the complete attacker lifecycle. 0 techniques directly attributed and 7 inferred, across 3 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.

Highlighted from CVE-2026-7165 · primary technique T1027

Reconnaissance

Resource Dev

T1588.003 7.9x

Code Signing Certificates

Initial Access

Spearphishing Attachment

T0822 5.8x

External Remote Services

T0866 4.8x

Exploitation of Remote Services

T0883 4.7x

Internet Accessible Device

Execution

T1053.003 11.3x

Cron

✓ detection content available

T1059.004 9.3x

Unix Shell

✓ detection content available

T1569 4.9x

System Services

✓ detection content available

T1059.006 4.4x

Python

✓ detection content available

Persistence

✓ detection content available

T1037.001 6.8x

Logon Script (Windows)

✓ detection content available

✓ detection content available

T1037 2.8x

Boot or Logon Initialization Scripts

Priv Escalation

T1546.011 3.3x

Application Shimming

✓ detection content available

Stealth

T1574.007 inferred

Path Interception by PATH Environment Variable

✓ detection content available

T1036.001 inferred

Invalid Code Signature

T1574.006 inferred

Dynamic Linker Hijacking

✓ detection content available

T1027 inferred

Obfuscated Files or Information

✓ detection content available

T1070.002 14.7x

Clear Linux or Mac System Logs

T1027.007 8.5x

Dynamic API Resolution

T1542.001 4.9x

System Firmware

✓ detection content available

T1070.003 4.4x

Clear Command History

✓ detection content available

Defense Impairment

T1690 inferred

Prevent Command History Logging

✓ detection content available

T1553.002 inferred

Code Signing

✓ detection content available

Credential Access

T1539 inferred

Steal Web Session Cookie

✓ detection content available

T1003.008 8.1x

/etc/passwd and /etc/shadow

T1555.005 3.7x

Password Managers

✓ detection content available

T1110.002 3.7x

Password Cracking

✓ detection content available

T1187 3.3x

Forced Authentication

✓ detection content available

T1555.004 3.2x

Windows Credential Manager

✓ detection content available

T1606 3.2x

Forge Web Credentials

✓ detection content available

Discovery

T0846 5.2x

Remote System Discovery

T1580 3.7x

Cloud Infrastructure Discovery

✓ detection content available

T1087.003 3.7x

Email Account

T1046 2.6x

Network Service Discovery

✓ detection content available

Lateral Movement

✓ detection content available

T1021.004 3.2x

SSH

✓ detection content available

Collection

T0801 5.8x

Monitor Process State

T1056.002 4.2x

GUI Input Capture

✓ detection content available

T1185 3.3x

Browser Session Hijacking

✓ detection content available

T1056.004 3.3x

Credential API Hooking

Exfiltration

T1567.003 3.7x

Exfiltration to Text Storage Sites

Impact

✓ detection content available

T1495 6.1x

Firmware Corruption

✓ detection content available

T0813 5.8x

Denial of Control

T1499.004 5.7x

Application or System Exploitation

✓ detection content available

T1529 5.0x

System Shutdown/Reboot

✓ detection content available

T0831 4.8x

Manipulation of Control

T1499 4.6x

Endpoint Denial of Service

✓ detection content available

Want your real detection gaps for this chain?

Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.

Direct - an ATT&CK/nuclei source names this CVE Inferred - derived via CWE/CAPEC (lower confidence, may be off) Likely follow-on (shared-actor co-occurrence) ✓We hold public detection content Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).

Hunt package

All 55 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.

Sigma rules Full technique