Attack path from CVE-2026-7166

Home/ CVE-2026-7166/ Attack path

Attack path: CVE-2026-7166

Where this CVE sits in the complete attacker lifecycle. 0 techniques directly attributed and 13 inferred, across 4 phases. Each technique shows its mapping confidence; follow-on techniques come from shared-actor co-occurrence.

Highlighted from CVE-2026-7166 · primary technique T1007

Reconnaissance

T1591 6.0x

Gather Victim Org Information

T1589.002 4.3x

Email Addresses

✓ detection content available

T1589 3.9x

Gather Victim Identity Information

✓ detection content available

T1595.003 1.7x

Wordlist Scanning

T1598.002 1.7x

Spearphishing Attachment

Resource Dev

T1588.003 7.9x

Code Signing Certificates

✓ detection content available

Initial Access

Spearphishing Attachment

T0883 2.9x

Internet Accessible Device

T0822

External Remote Services

Execution

T1053.003 11.3x

Cron

✓ detection content available

T1059.004 9.3x

Unix Shell

✓ detection content available

T1059.006 4.4x

Python

✓ detection content available

T1047 4.2x

Windows Management Instrumentation

✓ detection content available

T1559.002 4.0x

Dynamic Data Exchange

✓ detection content available

Persistence

✓ detection content available

T1098.005 11.3x

Device Registration

✓ detection content available

T1098.001 10.2x

Additional Cloud Credentials

✓ detection content available

T1137.006 4.7x

Add-ins

✓ detection content available

T1505 3.1x

Server Software Component

✓ detection content available

T1543.002 3.0x

Systemd Service

✓ detection content available

T1037 2.8x

Boot or Logon Initialization Scripts

T1136.002 1.7x

Domain Account

✓ detection content available

Priv Escalation

T1548.002 7.9x

Bypass User Account Control

✓ detection content available

T1546 6.1x

Event Triggered Execution

✓ detection content available

T1546.015 4.2x

Component Object Model Hijacking

✓ detection content available

T1546.011

Application Shimming

✓ detection content available

T1546.001

Change Default File Association

✓ detection content available

Stealth

T1134.001 inferred

Token Impersonation/Theft

✓ detection content available

T1036.005 inferred

Match Legitimate Resource Name or Location

✓ detection content available

T1574.006 inferred

Dynamic Linker Hijacking

✓ detection content available

T1134.002 23.8x

Create Process with Token

✓ detection content available

T1070.002 14.7x

Clear Linux or Mac System Logs

T1070.006 6.8x

Timestomp

✓ detection content available

T1027.010 4.5x

Command Obfuscation

✓ detection content available

T1078.001 4.4x

Default Accounts

✓ detection content available

Defense Impairment

T1556.007 20.4x

Hybrid Identity

T1556 6.8x

Modify Authentication Process

✓ detection content available

T1553.002 3.9x

Code Signing

✓ detection content available

T1484.001 3.3x

Group Policy Modification

✓ detection content available

T1484 1.8x

Domain or Tenant Policy Modification

✓ detection content available

T1556.001 1.7x

Domain Controller Authentication

Credential Access

T1111 inferred

Multi-Factor Authentication Interception

Forge Web Credentials

✓ detection content available

T1528 14.6x

Steal Application Access Token

✓ detection content available

T1187 10.2x

Forced Authentication

✓ detection content available

T1110.004 8.5x

Credential Stuffing

T1003.008 8.1x

/etc/passwd and /etc/shadow

Discovery

T1082 inferred

System Information Discovery

✓ detection content available

T1018 inferred

Remote System Discovery

✓ detection content available

T1033 inferred

System Owner/User Discovery

✓ detection content available

T1046 inferred

Network Service Discovery

✓ detection content available

T1069 inferred

Permission Groups Discovery

✓ detection content available

T1007 inferred

System Service Discovery

✓ detection content available

T1120 inferred

Peripheral Device Discovery

✓ detection content available

T1057 inferred

Process Discovery

✓ detection content available

Lateral Movement

T1550.004 inferred

Web Session Cookie

T1550.001 11.9x

Application Access Token

✓ detection content available

T1091 11.3x

Replication Through Removable Media

✓ detection content available

T1550.002 4.3x

Pass the Hash

✓ detection content available

T1021.004 3.2x

SSH

✓ detection content available

T1550.003 3.0x

Pass the Ticket

✓ detection content available

T1021.007 1.8x

Cloud Services

✓ detection content available

Collection

T1074.002 14.9x

Remote Data Staging

T1025 9.4x

Data from Removable Media

T1114.003 9.3x

Email Forwarding Rule

✓ detection content available

T1213.003 7.8x

Code Repositories

✓ detection content available

T1213.006 4.7x

Databases

T0801 4.0x

Monitor Process State

T1602 1.7x

Data from Configuration Repository

✓ detection content available

T1219 4.7x

Remote Access Tools

✓ detection content available

T1008 3.9x

Fallback Channels

✓ detection content available

T1105 2.9x

Ingress Tool Transfer

✓ detection content available

Exfiltration

T1030 17.0x

Data Transfer Size Limits

✓ detection content available

T1048.002 13.2x

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1052 10.2x

Exfiltration Over Physical Medium

T1052.001 10.2x

Exfiltration over USB

T1048.003 4.1x

Exfiltration Over Unencrypted Non-C2 Protocol

✓ detection content available

Impact

Other

Want your real detection gaps for this chain?

Declare your detection stack - your rules, telemetry, and techniques - and we will show exactly which of these techniques you cannot see. We do not grade you against a public rule corpus, only against what you actually run.

Direct - an ATT&CK/nuclei source names this CVE Inferred - derived via CWE/CAPEC (lower confidence, may be off) Likely follow-on (shared-actor co-occurrence) ✓We hold public detection content Lift = how strongly a follow-on co-occurs with this CVE across shared threat actors (1x expected, 5x highly distinctive).

Hunt package

All 94 techniques in this view - Sigma rules, Atomic tests, and coverage in one place.

Sigma rules Full technique